Audit Log

Audit Log Tamper

The audit log writer accepts client-supplied timestamps, user IDs, and action labels, so any caller can backdate events or impersonate other users in the log.

CWE-117CWE-345
Back to hub Reload scenario
Audit probe 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Audit endpoint stores client-supplied `ts` field as truth.
  • `actor` is taken from the body rather than the session.
  • Newlines in `action` are not escaped, enabling log injection.
    • 
        

      


      

      

        
Signals

        
        

          
Code

          
db.audit.insert({ts: req.body.ts, actor: req.body.actor, ...})

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.