.net – Is Output Neutralization required when logging C# exception messages to log files?

Many things in the security field are relative, means they depend on context.

In your case the exception may contain some sensitive data. Only you can decide if this is a weakness or not. A few examples:

  • If the exception text contains person names, addresses, account numbers, this may be a security issue in some cases. Normally we don’t want to have such data in the logs.
  • If the exception text contains generic statement like “User A has no permission for operation B”, this is usually a safe text.
  • If the exception text is technical like “NullPointerException”, it is safe.

Also the exception text can contain stack trace. In some cases disclosing it may be a weakness. For instance, if it contains information about classes and line numbers, it can be possible to find out what version of what library is used. If there is a known security issue in this library version, this can be used for an attack. Again, even if there is such a bug, it can be that exploit requires very specific preconditions and may be you are safe in your case.

Consider such findings not as a problem, but as a hint that there may be a problem. Analyze it, estimate the risks and decide, if the risks are acceptable.