Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.
Como corrigir esta vulnerabilidade
Estratégias de prevenção para Insufficient Logging baseadas em 3 regras de detecção do Shoulder.
Replace console.log with a structured logging library like winston or pino
- console.log('User logged in', userId); + logger.info('User logged in', { userId });
Replace print() with the logging module for structured, level-aware output
- def process_request(data): - print(f"Processing request: {data}") - result = handle(data) - print(f"Result: {result}") + import logging + + logger = logging.getLogger(__name__) + + def process_request(data): + logger.info("Processing request: %s", data) + result = handle(data) + logger.debug("Result: %s", result) return result
Log authentication attempts, failures, and admin actions with user/IP context
- from flask import request - from flask_login import login_user - - @app.route('/login', methods=['POST']) - def login(): - user = User.query.filter_by(username=request.form['username']).first() - if user and check_password(user.password, request.form['password']): - login_user(user) - return redirect('/dashboard') + import logging + from flask import request + from flask_login import login_user + + logger = logging.getLogger('security') + + @app.route('/login', methods=['POST']) + def login(): + username = request.form['username'] + user = User.query.filter_by(username=username).first() + if user and check_password(user.password, request.form['password']): + login_user(user) + logger.info(f"Login success: {username} from {request.remote_addr}") + return redirect('/dashboard') + logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401
Práticas-chave
- reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n
Encontre vulnerabilidades no seu código
Use o Shoulder para escanear seu código em busca de padrões Insufficient Logging. 3 regras.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=778 # Or scan entire project npx @shoulderdev/cli trust .
Regras de Detecção (3)
O que observar nas revisões de código
Estes padrões indicam vulnerabilidades potenciais de Insufficient Logging. Procure-os durante revisões de código e auditorias de segurança.
Escaneie seu código para Insufficient Logging
O Shoulder CLI encontra padrões vulneráveis em todo o seu código.