Scribd
Upload
2K views3 pages

Project 3a Hacking Web Apps With Command Injections and Patching Them

The document discusses command injection vulnerabilities in web applications. It explains that web apps sometimes need to execute system commands, which can be exploited by attackers to run arbitrary commands if not validated properly. An example is shown where a ping command could be manipulated to also run an id command. The document recommends avoiding system calls if possible, input validation, and other techniques like whitelisting to prevent this vulnerability.

Uploaded by

maylinpatydakin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views3 pages

Project 3a Hacking Web Apps With Command Injections and Patching Them

The document discusses command injection vulnerabilities in web applications. It explains that web apps sometimes need to execute system commands, which can be exploited by attackers to run arbitrary commands if not validated properly. An example is shown where a ping command could be manipulated to also run an id command. The document recommends avoiding system calls if possible, input validation, and other techniques like whitelisting to prevent this vulnerability.

Uploaded by

maylinpatydakin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Project 3a Hacking Web Apps with Command Injections and

Patching them
command injection (also known as shell injection) is a web security
vulnerability that allows an attacker to execute arbitrary operating system
(OS) commands on the server that is running an application, and typically
fully compromise the application and all its data.
Why Do Web Applications Need to Execute System
Commands?

Web applications sometimes need to execute operating system commands (OS


commands) to communicate with the underlying host operating system and
the file system. This can be done to run system commands, launch
applications written in another programming language, or run shell, python,
perl, or PHP scripts. For any operating system, including Windows, Unix and
Linux, functions are available that can execute a command that is passed to
the other scripts as a shell command. While extremely useful, this
functionality can be dangerous when used incorrectly, and can lead to web
application security problems, as explained in this article.

Why You Should Be Careful When Using System Commands In


Web Applications

By exploiting a command injection vulnerability in a vulnerable application,


attackers can add additional commands or inject their own operating system
commands. This means that during a command injection attack, an attacker
can easily take complete control of the host operating system of the web
server. Therefore, developers should be very careful how to pass user input
into one of those functions when developing web applications.

Example of a Command Injection Vulnerability

In this example of the command injection vulnerability, we are using the ping
functionality, which is notoriously insecure on many routers. Imagine a
vulnerable application that has a common function that passes an IP address
from a user input to the system's ping command. Therefore, if the user input is
127.0.0.1, the following command is executed on the host operating system:

ping -c 5 127.0.0.1

Since we are dealing with a vulnerable web application, it is possible to break


out of the ping command or provoke an error that returns useful information
to the attacker. The attacker can then use this functionality to execute his own
arbitrary commands. An example of adding additional system commands
could look like this:

ping -c 5 127.0.0.1; id

In the above example, first the ping command is executed and directly after
that the id command execution takes place. Therefore the command output on
the page will look like this:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.


64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.074 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.072 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.037 ms

--- 127.0.0.1 ping statistics ---


5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.023/0.056/0.074/0.021 ms
uid=0(root) gid=0(root) groups=0(root)

During an OS command injection attack, the attacker can also set up an error
based attack. For example, a code injection in this case will typically look like
the below:

ping -c 5 "$(id)"

The above code injection returns a response like this:

ping: unknown host uid=0(root) gid=0(root) groups=0(root)

How to Prevent System Command Injection Vulnerabilities

In order to prevent an attacker from exploiting a vulnerable web application


and inserting special characters into the operating system command, you
should try to generally avoid system calls where possible. In all cases, avoid
user input of any kind unless it is absolutely necessary. And if it is necessary,
make sure there is proper input validation in place – input validation is always
a must to ensure your web application code is not vulnerable to other high-
impact vulnerabilities, including XSS and SQL Injection.
Also, deactivate this functionality in your language's configuration file if you
don't need it, so attackers can never manage to gain access to the system shell
on the host operating system through vulnerable web applications. In some
languages, you can separate the execution of the process from the input
parameters. You can also build a white list of possible inputs and check the
formats, for example accepting only integer for a numeric id.

Vulnerability Classification and Severity Table

Classification ID / Severity

PCI v3.1 6.5.1

PCI v3.2 6.5.1

CAPEC 88

CWE 78

WASC 31

OWASP 2013 A1

HIPAA 164.306(a), 164.308(a)

CVSS:3.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Netsparker Critical

You might also like