OWASP Tip: A09:2021 – Security Logging and Monitoring Failures
You do have logging enabled, right?
Greetings my friends! We’re onto the final 2 risks in our OWASP Top 10 series, and I don’t know about you, but it’s quite exciting to be near the end! I definitely underestimated the scope of the challenge Top 10, but I hope I’ve done it justice and I’m looking forward to using this as series a reference in the future. Note, if you’ve missed some of the past emails, you can find them all linked here.
Important: Please stick around to the end, I’ve got an important question for everyone and a poll to vote in!
Don’t forget to subscribe to join the 1,500+ subscribers of Laravel Security In Depth, who learn about Laravel Security each week!
Before we proceed into our topic for the week, I wanted to share two awesome milestones Laravel Security in Depth passed in the last week:
1,500 total subscribers (both free and paid). 🥳
Laravel Security in Depth is officially a Substack Bestseller! 🎂
I want to thank each and every one of you for your support. I find it incredible that 1,500 people are interested in what I have to say about Laravel security, and becoming a Substack Bestseller is huge recognition of that. When I embarked on this journey of doing something the Laravel community hadn’t seen before, I had no idea how it would be received, and you’ve blown me away with your support. Thank you so much. 🥰
💡 Want me to hack your apps and help you secure them? Book in a Laravel Security Audit and Penetration Test! 🕵️
A09:2021 – Security Logging and Monitoring Failures
The title of risk #9 should be pretty self-explanatory, and we’ve touched on Logging previously with Tip #25: Login Logging. It was included in the Top 10 based on the Community Survey, and is something often overlooked which doesn’t usually directly lead to vulnerabilities, but without decent logging and monitoring, you're far less likely to detect and stop attacks and figure out the the root vulnerability in your apps.
In short: logging and monitoring are essential.
My recommendations are simple:
Enable webserver access logs (these are disabled by default on Laravel Forge! 😔).
Log important user and system events, especially admin changes and destructive events.
Link each log with a IP address, UserId, and/or email.
Use a 3rd party monitoring solution to track all errors and ideally logs too.
(I don’t have any recommendations here, but there are plenty of options, so throw your recommendations in the chat!)
Remotely store or backup your logs (at least for a short time).
It’s not uncommon for a hacker to delete site logs to cover their tracks. If your logs are sent off-site, it’s much harder for an attacker to remove them.
To reinforce this point, I want to tell you about my experiences with logging and why I believe it is important.
I used to work at Wordfence a few years ago and when I first started there, I spent 12+ months cleaning infected WordPress sites. Customers would give us access to their hosting accounts and we’d go in, look for any malwareand try to identify how the hacker managed to compromise the customer's site.
In many cases access logs were disabled by the hosting provider, which made it difficult to track down what happened, but when logs were available you could often trace their full activity to find out exactly how they got in and what they did.
Access logs will frequently expose vulnerable pages and even vulnerable query parameters after an attack has taken place, and you can follow the IP address as it explores, identifies, compromises and then exploits the vulnerabilities.
As a great example, this is a slide from my Cleaning Infect Sites conference talk:
You can see quite clearly the hacker discovered a fresh instance of WordPress that hadn’t been installed yet. They proceeded through the site setup process, uploaded a malicious plugin, and used that to compromise the account.
What’s not shown is them resetting the site back to “fresh uninstalled state”, so the site owner had no idea. The fresh WordPress instance is already infected when the owner goes to create their new account.
If you’re interested, go check out my full talk, it contains more logs and other fun stories from cleaning infected WordPress sites.
Moving to a custom domain?
Laravel Security in Depth has been at
larasec.substack.com since I first created it, but now that we’ve hit 1,500 subscribers and bestseller status, I feel like we need to look into a custom domain and move off the subdomain.
I currently own three domain names which would work for Laravel Security in Depth. Let me know which you prefer in the poll below, or if you have other suggestions, send them my way privately (to avoid squatters!).
This can be anonymised if you need to, but being able to track activity for the same user over time is important.
Which is a lot of fun, and you can find all sorts of entertaining code!