• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Remove sensitive info from logs

New Here ,
Apr 24, 2023 Apr 24, 2023

Copy link to clipboard

Copied

Working on a new project that utilizes cfhttp to make a call to a remote site. The authentication to this site uses a unique account key that is passed in the url. This key is decrypted and passed in at the time of the cfhttp call. I'm able to make calls without any issues (get, put, post, etc) but upon reviewing logs(http.log and coldfusion-out.log), I noticed the account key is saved in plain text. I tried placing the key into a cfhttpparam as a type url but the log still reveals the same plain text key.

 

I would like to prevent the key from being "stored/logged" anywhere for obvious reasons. Is there some way to modify the logging level? Any way to modify the logs if a certain string is found? Maybe some other method that I should use?

 

I appreciate any advice.

TOPICS
Advanced techniques , Monitoring , Security

Views

241

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 01, 2023 May 01, 2023

Copy link to clipboard

Copied

Let's first get one thing out of the way. Placing a key into a cfhttpparam of type url is the same as appending Key=Value to the URL after the question-mark.

 

The behaviour you observe - logging of URL requests, including URL parameters - is so by design. Not only in ColdFusion. That is typical of every application server.

 

You will see that behaviour in browsers, too. They will save the entire URL request, including query-string, in their history. Cfhttp is essentially a browser. 

 

The moral is clear. You should

  1. Pass the key in the body of the cfhttp request, instead of as URL parameter, if you don't want the key to be logged.
  2. Use HTTPS, if you don't want unauthorized access to the URL data during the request.
  3.  Use file or directory permissions to restrict access to the ColdFusion logs, if you have no choice but to use URL parameters. 

 

These two resources offer you more information:

https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl

https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 05, 2023 May 05, 2023

Copy link to clipboard

Copied

Thank you for the response, I appreciate the infomation you gave. That all makes sense. It sounds like there is no way to improve upon what I'm already doing, unless I'm given another way to authenticate from our vendor. 

 

I'm still suprised that there isn't a way to create filters for these logs, or adjust the logging level.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 09, 2023 May 09, 2023

Copy link to clipboard

Copied

LATEST

I do believe that it is possible to create filters for the logs. But you probably will have to tinker with the underlying Java classes. For example, classes like java.util.logging.Filter, java.util.logging.Logger and java.util.logging.LogRecord.

 

Search the WWW. You might find code examples or even complete log-filtering tools.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation