Operating System (OS) Command Injection

This article will define OS command injection, discuss how flaws may be found and used against them, list some helpful commands and approaches for various OS, and conclude with a summary of how to stop OS command injection.

OS command injection: what is it?

An OS command injection vulnerability, commonly referred to as shell injection, is a weakness in web applications that enables an intruder to execute random operating system instructions on a back-end server that is hosting an app, effectively compromising both the program including all its data. Frequently, an adversary may use an OS command injection to corrupt further components of the hosting infrastructure by taking advantage of trust connections to refocus the assault on different systems inside the company.

Random command execution

Think about a web application for e-commerce that enables users to check the availability of a product in a particular retailer. A link like the following can be used to obtain this information:

https://random-website.com/availabilityState?pdID=11&stID=9

The program should request multiple historical systems to deliver the stock information. The feature is achieved by running a shell command with the item & shop Identifiers as parameters:

theReport.pl 11 9        

The customer gets informed of the product's inventory state after executing this command.

An adversary can send the following argument to run any command because the app doesn't include any protections versus OS command injection:

theReport.pl 11 & echo randomrandom        

In the previous command, the input was submitted in the Store ID field. And that's the command that was executed by the application.

One practical technique to check for various forms of OS command injection is the echo command, which merely enables the specified text to be returned in the response. Because the & symbol serves as a command delimiter in the terminal, three independent commands are performed sequentially. As a consequence, the viewer receives the following outcome:

Error - store id was not provided
randomrandom        

Defending against OS command injection attacks

Never requesting OS commands from application-layer code is indeed the best technique to guard against OS command injection issues. There are almost always better ways to accomplish the necessary functionality utilizing secure framework APIs.

Robust input validation should be carried out if calling out to OS functions with user intervention is deemed to be an inescapable need. Efficient validation includes, for instance:

• Checking the validity vs a checklist of accepted values.
• Confirming that a specific type of character was entered.
• Ensuring that the entry is entirely composed of alphanumeric letters and is free of any additional syntactic or white space

Avoid trying to leave shell meta characters in order to clean input. In actuality, it's just too gaffe and open to being defeated by a cunning opponent.