← Back to context

Comment by netsharc

1 day ago

Reminds me of an anecdote about an e-commerce platform: someone coded a leaky webshop, so their workaround was to watch if the string "OutOfMemoryException" shows up in the logs, and then restart the app.

Another developer in the team decided they wanted to log what customers searched for, so if someone typed in "OutOfMemoryException" in the search bar...

20 comments

netsharc

Reply
PhilipRoman  1 day ago

Careless analysis of free-form text logs is an underrated way to exploit systems. It's scary how much software blindly logs data without out of band escaping or sanitizing.

  • ycombinatrix  1 day ago

    Why would someone "sanitize" OutOfMemoryException out of their logs? That is a silly point to make.

    • teraflop  1 day ago

      The point is not to sanitize known strings like "OutOfMemoryException". The point is to sanitize or (preferably) escape any untrusted data that gets logged, so that it won't be confused for something else.

      11 replies →

    • MortyWaves  8 hours ago

      Absolutely incredible how dense HN can be and that no one has explained. Obviously that isn’t what they are saying, they are saying it’s profoundly stupid to have the server be controlled by a simple string search at all.

    • owebmaster  1 day ago

      An OutOfMemoryException log should not be the same as a search log

        Error: OutOfMemoryException

      And

        Search: OutOfMemoryException

      Should not be related in any way

      3 replies →

skipants  1 day ago

I've actually gone through this a few times with our WAF. A user got IP-banned because the WAF thought a note with the string "system(..." was PHP injection.