Difference between revisions of "Testing for Command Injection (OWASP-DV-013)"

From OWASP
Jump to: navigation, search
 
Line 2: Line 2:
  
 
== Short Description of the Issue (Topic and Explanation) ==  
 
== Short Description of the Issue (Topic and Explanation) ==  
...<br>
+
OS Commanding is a technique used via a web interface in order to execute OS commands on the web server.<br>
 +
 
 +
The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit.  With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords.  OS commanding is preventable when security is emphasized during the design and development of applications.<br>
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
When viewing a file in a web application the file name is often shown in the URL.  Perl allows piping data from a process into an open statement.  The user can simply append the Pipe symbol “|” onto the end of the filename.
...<br>
+
<br>
'''Result Expected:'''<br>
+
Example URL before alteration:<br>
...<br><br>
+
http://sensitive/cgi-bin/userData.pl?doc=user1.txt<br>
== Gray Box testing and example ==  
+
Example URL modified:<br>
'''Testing for Topic X vulnerabilities:'''<br>
+
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|<br>
...<br>
+
This will execute the command “/bin/ls”.<br>
'''Result Expected:'''<br>
+
Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command.
...<br><br>
+
<br>
 +
Example:<br>
 +
http://sensitive/something.php? dir=%3Bcat%20/etc/passwd<br>
 +
<br>
 +
== Gray Box testing ==  
 +
<b>Sanitization</b><br>
 +
The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet.  A “whitelist” containing only allowable characters should be created to validate the user input.  Characters that were missed as well as undiscovered threats should be eliminated by this list.<br>
 +
<b>Permissions</b><br>
 +
The web application and its components should be running under strict permissions that do not allow operating system command execution.<br>
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
<br>
...<br>
+
'''Tools'''<br>
+
...<br>
+
 
{{Category:OWASP Testing Project AoC}}
 
{{Category:OWASP Testing Project AoC}}
 
[[OWASP Testing Guide v2 Table of Contents]]
 
[[OWASP Testing Guide v2 Table of Contents]]
 
{{Template:Stub}}
 

Revision as of 16:58, 7 November 2006

OWASP Testing Guide v2 Table of Contents

Contents


Short Description of the Issue (Topic and Explanation)

OS Commanding is a technique used via a web interface in order to execute OS commands on the web server.

The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS commanding is preventable when security is emphasized during the design and development of applications.

Black Box testing and example

When viewing a file in a web application the file name is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol “|” onto the end of the filename.
Example URL before alteration:
http://sensitive/cgi-bin/userData.pl?doc=user1.txt
Example URL modified:
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls%7C
This will execute the command “/bin/ls”.
Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command.
Example:
http://sensitive/something.php? dir=%3Bcat%20/etc/passwd

Gray Box testing

Sanitization
The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “whitelist” containing only allowable characters should be created to validate the user input. Characters that were missed as well as undiscovered threats should be eliminated by this list.
Permissions
The web application and its components should be running under strict permissions that do not allow operating system command execution.

References



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents