OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
This attack differs from Code Injection, where the code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands.
Common Parameter Or Injection Points example (file, location, path, display, load, retrieve, read)
- The manipulating variables that reference files with dot-dot-slash (../) sequences and its variations or by using absolute file paths.
- It may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.
- Code execution on the web server.
- Are there request parameters which could be used for file-related operations.
- Are there interesting variable names.
- Application developers sometimes implement operating system interactions using calls to system utilities for creating and removing directories for example. unescaped input can lead to arbitrary OS commands being executed.
- If possible, do not permit appending file paths directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable.
- If you definitely need dynamic path concatenation, ensure you only accept required characters such as “a-Z0-9” and do not allow “..” or “/” or “” (null byte) or any other similar unexpected characters.
- It is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure any potential attack cannot perform a directory traversal attack.
- OWASP WebScarab
- OWASP WebGoat
- Burp suite
- Enconding/Decoding tools.