Monday, February 26, 2007
I've just read an interesting paper from SIFT about log injection. It just remebered something that I think it's very interesting, but not very new. I remember a very good presentation from the Sensepost guys in Blach Hat US 2004.They showed a number of ways to fool people running attack tools against their network. Among those things they mentioned how was easy to exploit tools that generate HTML reports. I wonder how deeply it can go. There are lots of security tools that generate beautiful reports on HTML. Are they safe from this kind of attack? And what about current log analysis and SIM/SIEM systems, are they prepared to deal with log injection attacks? I wouldn't bet too much on it.