Difference between revisions of "OWASP Periodic Table of Vulnerabilities - OS Commanding"
(Created page with "Return to Periodic Table Working View == OS Commanding == === Root Cause Summary === OS-level c...")
Latest revision as of 22:06, 22 July 2013
Root Cause Summary
OS-level calls are constructed using dynamic data, allowing an attacker to append additional function calls or manipulate parameters of the original call.
Browser / Standards Solution
Generic Framework Solution
Custom Framework Solution
Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.
Custom Code Solution
Discussion / Controversy
Many common system calls already have safe wrappers in generic application frameworks. Thus, most unsafe calls are likely to be made in the attempt to access application-specific batch processes or system features, and so must have a custom framework wrapper to ensure that the intended syntax is generated safely.