HIGH log injectionexpressbearer tokens

Log Injection in Express with Bearer Tokens

Scan for log injection in express

Log Injection in Express with Bearer Tokens — how this specific combination creates or exposes the vulnerability

Log injection occurs when untrusted input is written directly into log files without proper sanitization or formatting, allowing an attacker to forge log entries, inject newlines, or hide malicious activity. In Express applications that use Bearer token authentication, the combination of token-based auth and insufficient log handling creates specific risks.

When an Express backend validates a Bearer token (typically via the Authorization header), the raw token value or its parsed claims might be logged for debugging or audit purposes. If the token or related request data is written into logs verbatim — for example, using console.log or a basic logger without escaping — an attacker can supply a crafted token containing newline characters (\n) or structured payloads. This enables log injection, where the attacker can insert fake entries, impersonate other users, or break log parsers that rely on line-based formats.

Consider an Express route that logs authentication events:

app.get('/profile', (req, res) => {
  const token = req.headers.authorization?.split(' ')[1];
  console.log('Auth success: token=' + token);
  res.json({ ok: true });
});

If an attacker sends Authorization: Bearer "attacker\n[CRITICAL] admin=true", the log file may show two separate lines, making it appear that a second, legitimate authentication event occurred. This can obscure real intrusions or trigger incorrect alerts in monitoring tools. Moreover, if logs are later analyzed by security tooling that expects well-formed entries, injected content can bypass detection rules or create false positives.

Log injection in this context also intersects with token leakage. Should logs inadvertently capture full tokens due to verbose error messages or misconfigured debug output, the confidentiality of those tokens is compromised. Tokens embedded in logs may persist in storage longer than necessary and could be exposed if log access controls are weak. Because Bearer tokens are high-value secrets, any log entry that reveals them increases the impact of a log injection or log exposure vulnerability.

Additionally, certain logging formats — such as JSON-structured logging — can be abused if user-controlled fields are not validated. An attacker might supply a token containing characters that break JSON syntax or field delimiters, leading to parsing failures or ambiguous records. The interplay between the Express request pipeline, where headers are mutable, and logging implementations that trust incoming data, makes this a practical and material threat.

Bearer Tokens-Specific Remediation in Express — concrete code fixes

Remediation focuses on preventing untrusted data from corrupting log entries and ensuring tokens are handled safely. The primary rule is to never directly concatenate or interpolate raw token values into logs. Instead, sanitize and abstract identifiers before logging.

1. Avoid logging raw tokens. Replace direct logging with a hashed or truncated representation:

const crypto = require('crypto');

function hashToken(token) {
  return crypto.createHash('sha256').update(token).digest('hex').substring(0, 16);
}

app.get('/profile', (req, res) => {
  const authHeader = req.headers.authorization || '';
  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
  if (!token) return res.status(401).json({ error: 'missing_token' });

  // Safe logging: never log the raw token
  const tokenFingerprint = hashToken(token);
  console.log('Auth success: token_fingerprint=' + tokenFingerprint);

  res.json({ ok: true });
});

2. Use structured logging with explicit fields and avoid string concatenation that may be affected by newline characters in token values. With a JSON logger, ensure user-controlled values are not placed in fields that affect log structure:

const winston = require('winston');
const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [new winston.transports.Console()],
});

app.get('/profile', (req, res) => {
  const authHeader = req.headers.authorization || '';
  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
  if (!token) return res.status(401).json({ error: 'missing_token' });

  // Structured log with controlled fields; token not included
  logger.info('authentication_success', {
    endpoint: '/profile',
    token_fingerprint: hashToken(token),
    ip: req.ip,
    method: req.method,
  });

  res.json({ ok: true });
});

3. Validate token format before use to reduce the risk of injection via malformed input. Reject tokens that contain suspicious characters or lengths that do not match your expected pattern:

function isValidToken(token) {
  // Basic Bearer token sanity checks
  return typeof token === 'string' && /^[A-Za-z0-9\-._~+/]+={0,2}$/.test(token) && token.length <= 4096;
}

app.get('/profile', (req, res) => {
  const authHeader = req.headers.authorization || '';
  const parts = authHeader.split(' ');
  if (parts.length !== 2 || parts[0] !== 'Bearer') {
    return res.status(400).json({ error: 'bad_auth_header_format' });
  }
  const token = parts[1];
  if (!isValidToken(token)) {
    return res.status(400).json({ error: 'invalid_token' });
  }

  const tokenFingerprint = hashToken(token);
  console.log('Auth success: token_fingerprint=' + tokenFingerprint);
  res.json({ ok: true });
});

4. Ensure error handling and debug outputs do not leak tokens. Avoid sending full authorization headers in error responses or logs:

app.use((err, req, res, next) => {
  // Do not include raw token in error responses
  const authHeader = req.headers.authorization || '';
  const token = authHeader.startsWith('Bearer ') ? '[protected]' : '[none]';
  logger.error('server_error', {
    error: err.message,
    token_placeholder: token,
    endpoint: req.originalUrl,
  });
  res.status(500).json({ error: 'internal_server_error' });
});

These practices reduce the attack surface by ensuring tokens are never written raw into logs, log structure remains intact, and suspicious inputs are rejected early. Combined with transport-layer protections and proper access controls on log storage, they help mitigate both log injection and inadvertent token exposure in Express services using Bearer tokens.

Scan for log injection in express Free API security scan

Frequently Asked Questions

Why is logging raw Bearer tokens a security risk even if logs are stored internally?
Logging raw Bearer tokens can expose high-value secrets in log files, which may be accessed by unauthorized users or exposed through log aggregation tools. It also enables log injection attacks where newline characters in tokens can forge entries or break log parsing, undermining audit integrity.
Can I include a token fingerprint in logs, and is that safe?
Yes, using a deterministic fingerprint (e.g., a truncated hash) is safe because it does not reveal the actual token. Ensure the hashing method is consistent, avoid including raw token data, and treat fingerprints as non-sensitive identifiers rather than secrets.

Related Pages

Log Injection in ExpressLearn how log injection attacks exploit Express applications through request logging, error handling, and middleware. DiLog Injection with Bearer TokensLearn how log injection attacks exploit Bearer token authentication systems through newline injection and log forging, wLog Injection in Express on NetlifyUnderstand and remediate log injection in Express on Netlify with concrete code examples and Netlify-specific logging guLog Injection in Express on Fly IoLog injection in Express on Fly.io: causes, impacts on logging, and structured logging fixes with Fly-compatible code exLog Injection in Express on DigitaloceanLog injection in Express on Digitalocean: risks, examples, and structured logging fixes using Pino and sanitization.Pci Dss: Log Injection in ExpressUnderstand PCI DSS log injection risks in Express, see concrete remediation patterns, and learn how middleBrick detects Soc2: Log Injection in ExpressExplore Log Injection in Express apps under SOC 2 controls. Learn remediation patterns and how middleBrick detects log iIso 27001: Log Injection in ExpressExplore ISO 27001 controls for log injection in Express, with remediation examples and structured logging guidance.Cis: Log Injection in ExpressLearn how log injection manifests in Express APIs, CIS-aligned remediation patterns, and practical code fixes using struLog Injection in Express with FirestoreExplore log injection risks in Express with Firestore, understand how newlines corrupt logs, and apply sanitization and Log Injection in Express with DynamodbLog injection in Express with DynamoDB: risks, examples, and sanitization techniques for secure logging.Log Injection in Express with CockroachdbExplore log injection risks in Express with CockroachDB, including real code examples and remediation patterns for secur