Logo


1. Authentication
  1. Brute Force

  2. Insufficient Authentication

  3. Weak Password Recovery Validation

2. Authorization
  1. Credential/Session Prediction

  2. Insufficient Authorization

  3. Insufficient Session Expiration

  4. Session Fixation

3. Client-side Attacks
  1. Content Spoofing

  2. Cross-site Scripting

4. Command Execution
  1. Buffer Overflow
  2. Format String Attack
  3. LDAP Injection
  4. OS Commanding
  5. SQL Injection
  6. SSI Injection
  7. XPath Injection
5. Information Disclosure
  1. Directory Indexing

  2. Information Leakage

  3. Path Traversal

  4. Predictable Resource Location

6. Logical Attacks
  1. Abuse of Functionality

  2. Denial of Service

  3. Insufficient Anti-automation

  4. Insufficient Process Validation

OS Commanding

OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.

When a web application does not properly sanitize user-supplied input before using it within application code, it may be possible to trick the application into executing Operating System commands. The executed commands will run with the same permissions of the component that executed the command (e.g. Database server, Web application server, Web server, etc.).


Example
Perl allows piping data from a process into an open statement, by appending a '|' (Pipe) character onto the end of a filename. Pipe character examples: # Execute "/bin/ls" and pipe the output to the open statement open(FILE, "/bin/ls|") Web applications often include parameters that specify a file that is displayed or used as a template. If the web application does not properly sanitize the input provided by a user, an attacker may change the parameter value to include a shell command followed by the pipe symbol (shown above).

If the original URL of the web application is:
http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt

Changing the template parameter value, the attacker can trick the web application into executing the command /bin/ls:

http://example /cgi-bin/showInfo.pl?name=John&template=/bin/ls|

Most scripting languages enable programmers to execute Operating System commands during run-time, by using various exec functions. If the web application allows user-supplied input to be used inside such a function call without being sanitized first, it may be possible for an attacker to run Operating System commands remotely. For example, here is a part of a PHP script, which presents the contents of a system directory (on Unix systems): Execute a shell command: exec("ls -la $dir",$lines,$rc); By appending a semicolon (;) followed by an Operating System command, it is possible to force the web application into executing the second command:

http://example/directory.php?dir=%3Bcat%20/etc/passwd

The result will retrieve the contents of the /etc/passwd file.


References

"Perl CGI Problems", By RFP - Phrack Magazine, Issue 55
http://www.wiretrip.net/rfp/txt/phrack55.txt
(See "That pesky pipe" section)

"Marcus Xenakis directory.php Shell Command Execution Vulnerability"
http://www.securityfocus.com/bid/4278

"NCSA Secure Programming Guidelines"
http://archive.ncsa.uiuc.edu/General/Grid/ACES/security/programming/#cgi

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second OS Commanding attack vulnerability test.


Business Name:
Contact Information:
Email Address:
URL or IP address:
  

Other members of our business group:
Cloud-Security.us | US-scada.com

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED