Blind OS Command Injection Using Timing Attacks

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C5 CAPEC-88 CWE-78 HIPAA-164.306(a) & HIPAA-64.308(a) ISO27001-A.14.2.5 WASC-31 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H WSTG-INPV-11

OS command injection is a vulnerability by which an attacker can execute OS commands through the web applications on a web server. The attacker inputs operating system commands through a web interface in order to execute OS commands. Web interfaces that are not properly sanitised are usually subjected to this exploitation. The attacker will get the ability to execute OS commands in the shell of the server. The attacker will be able to load malicious programs and can even access passwords of end users. This vulnerability can be fixed by emphasizing security during the initial design and development of web applications. An attacker can execute any malicious bash commands on the system. The attacker runs OS commands and has the output captured by the web application and return the result to the attacker. The commands can include everything from simple ping commands to map the internal network. By injecting OS commands and by measuring the amount of time to execute, our scanner can detect whether the injection is time-based OS command injection or any other injection. If the result proves that the site is vulnerable to blind OS command injection using timing attacks, it will be due to improper input sanitisation.



In the below-given PHP example, if the path passed to “include” statements are not properly sanitised, the code will look for scripts that will accept the filename as input.

        * Get the filename from a GET input
        * Example -
        $file = $_GET['file'];
        * Unsafely include the file
        * Example - filename.php


If the path is extracted from an HTTP request and if no input validation is done (for example, by checking the input against a whitelist), this snippet of code will result in remote file inclusion.

In this case, the remote file included in the URL will be executed by the server.


The impact include:-

  • execute a cross-site scripting attack.
  • perform code execution on the web server.
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross-site scripting (XSS).
  • execute a denial of service (DoS) attack on the users.
  • expose sensitive Information about the application.

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Avoid passing of user-submitted input to any file-system or framework API.
  • Maintain a whitelist of files that need to be included via the page. Then use an identifier to access the selected file.
  • Make sure to set the allow_url_include as off. Setting as off won’t allow any attackers to include any remote file.
  • The input fields should be checked against a whitelist (allowed character set) instead of a blacklist (disallowed malicious characters). Blacklist validation is considered a weak solution. This validation technique is used by attackers to choose the supply input in a different format. The format includes encoded or hexadecimal formats.

Latest Articles