# Insertion of Sensitive Information into Log File (CWE-532) Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. **Stack:** Python - Prevalence: Medium 3 languages covered - Impact: High 1 high-severity rules - Prevention: Documented 3 fix examples **OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9 ## Description When sensitive information like passwords, tokens, or personal data is logged, it becomes accessible to anyone with access to the logs. Log files are often stored with less security than the data they contain. ## Prevention Prevention strategies for Information Exposure Through Logs based on 1 Shoulder detection rules. ### Python Redact sensitive fields before logging; log actions and identifiers, not credentials ## Warning Signs - [HIGH] logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credenti ## Consequences - Read Application Data - Gain Privileges ## Mitigations - Never log sensitive information such as passwords or tokens - Implement log data classification and filtering - Mask or redact sensitive data before logging ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (1 rules) - **Sensitive Data in Logging** [HIGH]: Detects logging of sensitive data like passwords, API keys, tokens, credit cards, or authentication credentials. Logged sensitive data can be exposed through log files, monitoring systems, or error tracking services. - Remediation: Redact sensitive fields before logging; log actions and usernames, not credentials. ```python import logging logger = logging.getLogger(__name__) SENSITIVE = {'password', 'token', 'api_key', 'secret'} def sanitize(data): return {k: '***' if k in SENSITIVE else v for k, v in data.items()} def login(username, password): logger.info(f"Login attempt for: {username}") # Log username, not password authenticate(username, password) ``` Learn more: https://shoulder.dev/learn/python/cwe-532/sensitive-data-logging