Introduction

We had this lesson in WebGoat 7.0 about log injection. Since we log more and more these days it makes sense to have a lesson about the best practices regarding logging.

Topics

• Log spoofing (old lesson, see YouTube)
• Logging sensitive information (GDPR rules etc)
• Think about access logs, if you pass query parameters they are visible. We can create a lesson where an access log file is dynamically shown (we can show the access logs and logs files in WebGoat directly as menu option). The lesson would then be to change the password with oldPassword=...&newPassword.. and then you find them in the log file.
• Explain log levels
• exception handling (maybe an example of logging exception towards the client with cryptography and why this is a bad idea)