This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Command Injection Defense Cheat Sheet"

From OWASP
Jump to: navigation, search
(Introduction)
(rename)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= WORK IN PROGRESS =
+
#REDIRECT [[OS_Command_Injection_Defense_Cheat_Sheet]]
 
 
__NOTOC__
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
= Introduction  =
 
__TOC__{{TOC hidden}}
 
 
 
This cheat sheet provides some best practice for developers to follow to avoid the risk of [[Command Injection]]<br>
 
 
 
= Introduction =
 
 
 
1) What is Command Injection?
 
   
 
2) Defense against unintentional OS interaction
 
   
 
2a) LFI Local File Inclusion
 
 
 
2b) RFI Remote File Inclusion
 
   
 
2c) Code Level injection
 
* ENV variables
 
* code creation
 
 
 
3) Safe design for features where OS interaction is intentional
 
   
 
3a) Like safely calling ImageMagik to do image manipulation, etc
 
I CCed in a few other folks who are interested in this topic.
 
 
 
3b)  TBD example
 
 
 
3c) TBD example
 
 
 
4) Summary
 
 
 
TBD takeaway language agnostic approaches list
 
TBD takeway language specific approaches list
 
 
 
= Details =
 
 
 
TBD
 
 
 
= Authors and Primary Editors  =
 
 
 
Jim Manico - jim[at]owasp.org
 
 
 
Scott Davis - scott_davis[at]rapid7.com
 
 
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
|}
 
 
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 18:22, 13 November 2017