Chrome Logger Information Disclosure

medium Web App Scanning Plugin ID 113951

Synopsis

Chrome Logger Information Disclosure

Description

Chrome Logger is a Google Chrome extension used to debug server side applications in the Chrome console. By installing the extension in their Chrome browser and a server-side library on their application, developers can retrieve the configured debug information directly in Chrome.

As Chrome Logger works by transmitting server data to the client through response HTTP headers `X-ChromePhp-Data` or `X-ChromeLogger-Data` using base64 encoding, an attacker could retrieve any sensitive data logged with Chrome Logger and leverage it to conduct further attacks.

Solution

Ensure that the application does not use Chrome Logger in production. If needed, do not include sensitive information in the logs and enforce permissions to allow only authorized users to read it.

See Also

https://craig.is/writing/chrome-logger

Plugin Details

Severity: Medium

ID: 113951

Type: remote

Published: 6/9/2023

Updated: 6/9/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information