OWASP Periodic Table of Vulnerabilities - OS Commanding

Revision as of 16:06, 22 July 2013 by James Landis (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

OS Commanding

Root Cause Summary

OS-level calls are constructed using dynamic data, allowing an attacker to append additional function calls or manipulate parameters of the original call.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution


Custom Framework Solution

Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.

Custom Code Solution


Discussion / Controversy

Many common system calls already have safe wrappers in generic application frameworks. Thus, most unsafe calls are likely to be made in the attempt to access application-specific batch processes or system features, and so must have a custom framework wrapper to ensure that the intended syntax is generated safely.


Command Injection
OS Commanding (WASC)
OS Command Injection (CWE)