Remote OS Command Injection

By
Nash N Sulthan
Published on
24 Jun 2018
Injection

Code injection attack is an injection attack through which an attacker can execute any malicious commands on the host operating system via the application. This attack is possible because the application passes unsafe user-supplied data to the system shell. The attacks can be done via forms, cookies, HTTP headers etc. In this attack, the operating system commands sent by the attacker is executed with the execution privileges of the vulnerable application. This type of attacks is largely due to insufficient input validation.

There are servers that pass unsafe user-supplied data to the system shell. The attacker can supply operating system commands and can execute with the privileges of the server application. The attacker uses code injection to extend the functionality of the application via his malicious code.

Impact

The impact include:-

  • Executing commands on the underlying operating system.
  • injection attack
  • Data loss

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Using an existing API for the language.
  • Implement a positive security model.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.