Can’t Trust These Logs

OVERVIEW

Logs are usually the foundation of a blue teamer’s handbook, helping form the basis for audits and reconstructing events if an incident occurs.

But what if the information within your logs cannot be trusted, or their very existence is subverted, becoming an asset for an attacker instead of for your team? In this talk we will go over the approaches an attacker might take to bypass authentication, impersonate users, and use poorly secured logs to try and take over your application instead.

“Secure” GUIs with a poor API implementation, insecure cookie configurations, non authenticated endpoints with juicy data. These case studies will be briefly touched on, and inform how logs that just cannot be trusted (without further analysis) can come to be.