Log Injection.go should probably not log plaintext passwords

Hi, just noticed that the usability test explicitly logs passwords in plaintext, which probably isn’t secure:

Is this an issue? Or is this more of a “contrived” challenge that is focused on malicious chars in logfiles?

1 Like

You have hit the nail on the head with this being a contrived challenge focusing on malicious characters / statements being written to log files and the potential consequences of allowing malicious character sequences to be handled by a vulnerable application.

In a real-world scenario plaintext passwords ideally would not be exposed or logged at any point.

2 Likes

The challenge was inspired from a real app and the focus was on log input sanitisation of whatever goes to the logs. It looks for different sanitisation strategy and it is context-aware of the field being logged. However, this had the side effect. It is correct that password should not be logged regardless. This challenge has now been updated. There is no test to log passwords.

Thanks for the thoughts :slight_smile: