Secure Code Warrior - Os command injection
Download as PPTX, PDF0 likes599 views
OS command injection is a security vulnerability that allows attackers to execute arbitrary commands on an application's operating system due to improper validation of user input. This can result in the disclosure of sensitive data, deletion of files, and denial of service. To prevent this, developers should use framework-specific API calls, validate all user input against a whitelist, and apply the principle of least privilege.
Secure Code Warrior - Os command injection
- 1. OS Command Injection OWASP Web App Top 10 by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. What is it? “OS Command injection” is a vulnerability that allows arbitrary commands to be executed on the operating system of the application. What causes it? This vulnerability happens because user controlled input (form parameters, cookies, HTTP headers, …) is being passed to the system shell without any prior validation. What could happen? Injected commands will run with the privileges of the vulnerable application. User passwords or other sensitive data could be displayed on the application output. Files or database records could be manipulated or deleted. Services could be started/stopped. How to prevent it? Use framework specific API calls instead of OS commands. If not possible, validate all user supplied data against a white-list before passing it to the OS.
- 3. OS Command Injection Understanding the security vulnerability An application vulnerable to command injection. A GET parameter ‘fileToDelete’ is passed to the system shell without prior validation. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. All the web application files are deleted. The web application becomes unavailable. The application appends the GET parameter to the command string and the malicious command is executed. Application Server file = request.getParameter(‘fileToDelete’); execShellCommand(“rm ”+ file) http://site.com/action/delete? fileToDelete=oldFile.txt; rm -rf /var/www usr@server$ rm oldFile.txt; rm –rf / http://site.com/action/delete? fileToDelete=aFile.txt
- 4. OS Command Injection Realizing the impact Commands executed as the application owner could lead to repudiation issues. All the files of your application could be deleted, denying service and causing reputation loss and financial damages. Customer data could get exposed leading to privacy issues, reputational and financial data.
- 5. OS Command Injection Preventing the mistake Use framework API functions instead of OS Commands. Validate all user controlled input against a white-list before passing it to the shell. POST & GET parameter, cookies and other HTTP headers. Apply principle of least privilege to the application