Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-778 Base Draft
Insufficient Logging
This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail, making it hard to spot and investigate suspicious activity.
Definition
What is CWE-778?
This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail, making it hard to spot and investigate suspicious activity.
Insufficient logging creates blind spots for security teams. When critical events—like failed logins, privilege escalations, or data access—aren't logged with enough detail, detecting attacks in progress becomes nearly impossible. This also severely hampers post-incident forensic analysis, leaving you without the evidence needed to understand how a breach happened or what data was affected.
Modern cloud environments often introduce this risk through misconfiguration. Cloud services frequently have detailed logging disabled by default to manage costs and performance. If developers don't explicitly enable and configure audit logs for services like storage buckets, databases, or identity management, critical telemetry gaps appear. These gaps in your security logs can allow malicious activity to go completely unnoticed.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-778
-
server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
-
admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
-
default configuration for POP server does not log source IP or username for login attempts
-
proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection
-
web server does not log requests for a non-standard request type
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).
- 2
The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.
- 3
Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779).
- 4
In the following Java example the code attempts to authenticate the user. If the login fails a retry is made. Proper restrictions on the number of login attempts are of course part of the retry functionality. Unfortunately, the failed login is not recorded and there would be no record of an adversary attempting to brute force the program.
- 5
It is recommended to log the failed login action. Note that unneutralized usernames should not be part of the log message, and passwords should never be part of the log message.
Verwundbares Codebeispiel
Vulnerable XML
The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="None"
messageAuthenticationAuditLevel="None" />
...
</system.serviceModel> Sicheres Codebeispiel
Secure XML
Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779).
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Default"
suppressAuditFailure="false"
serviceAuthorizationAuditLevel="SuccessAndFailure"
messageAuthenticationAuditLevel="SuccessAndFailure" />
...
</system.serviceModel> What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-778
- Architecture and Design Use a centralized logging mechanism that supports multiple levels of detail.
- Implementation Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.
- Operation Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment.
- Operation To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments.
Erkennungssignale
How to detect CWE-778
Plexicus erkennt CWE-778 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-778?
Wie gravierend ist CWE-778?
Welche Sprachen oder Plattformen sind von CWE-778 betroffen?
Wie kann ich CWE-778 verhindern?
Wie erkennt und behebt Plexicus CWE-778?
Wo erfahre ich mehr über CWE-778?
Frequently asked questions
Was ist CWE-778?
This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail, making it hard to spot and investigate suspicious activity.
Wie gravierend ist CWE-778?
MITRE stuft die Exploit-Wahrscheinlichkeit als mittel ein — eine Ausnutzung ist realistisch, erfordert aber meist bestimmte Bedingungen.
Welche Sprachen oder Plattformen sind von CWE-778 betroffen?
MITRE lists the following affected platforms: Cloud Computing.
Wie kann ich CWE-778 verhindern?
Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.
Wie erkennt und behebt Plexicus CWE-778?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-778 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-778?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/778.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-778
CWE-223 Parent
Omission of Security-relevant Information
This vulnerability occurs when an application fails to capture or present crucial security-related details, such as the origin of a…
CWE-1429 Sibling
Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
This vulnerability occurs when a hardware interface discards operations without providing any security-relevant feedback, such as error…
Ressourcen
Further reading
- MITRE — offizielle CWE-778 https://cwe.mitre.org/data/definitions/778.html
- CIS Microsoft Azure Foundations Benchmark version 1.5.0 https://www.cisecurity.org/benchmark/azure
- Enable and manage Azure Storage Analytics logs (classic) https://learn.microsoft.com/en-us/azure/storage/common/manage-storage-analytics-logs
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.