Log injection is an attack where an adversary inserts crafted input into application log files by exploiting the way applications write user-controlled data to logs. This can forge log entries, corrupt audit trails, trigger downstream vulnerabilities in log processing systems, or hide evidence of other attacks.
How It Works
Applications routinely log user actions, errors, and system events. When user-supplied data — such as usernames, search queries, or HTTP headers — is written directly to log files without sanitization, an attacker can inject control characters and structured content that the logging system interprets as legitimate log entries.
The most basic form involves injecting newline characters (\n or \r\n) into an input field that gets logged. This creates fake log entries that appear genuine. For example, if a login attempt logs the username, an attacker can submit a username like admin\n2026-03-26 INFO Login successful for admin to create a false record showing a successful login.
More advanced attacks target log processing pipelines. If logs are consumed by SIEM systems, monitoring dashboards, or automated alerting, injected content can trigger false alerts, suppress real alerts by flooding the system, or exploit parsing vulnerabilities in the log consumer. When logs are displayed in web-based administration panels without output encoding, log injection can escalate to cross-site scripting, executing code in the browser of anyone viewing the logs.
Log injection also serves as a cover mechanism. Attackers can inject misleading entries to throw off incident responders, forge timestamps to create false timelines, or insert enough garbage data to make forensic analysis impractical.
Prevention
Sanitize all user input before logging by stripping or encoding newline characters, carriage returns, and other control characters. Use structured logging formats like JSON, which naturally escape special characters within field values. Never render log contents in a web interface without proper output encoding.
Why It Matters
Logs are the foundation of incident detection and forensic investigation. When an attacker can manipulate logs, they can operate undetected, create false narratives, and undermine the entire security monitoring infrastructure. Trustworthy logs are essential for accountability and response.
Need your application tested? Get in touch.