COMMAND INJECTION

Command Injection allows an attacker to execute system commands directly on the back-end hosting server through the webapp. Injection occurs when user-controlled input is misinterpreted as part of the web query or code being executed. it may lead to subverting the intended outcome of the query to a different outcome that is useful to the attacker. Whenever user input is used within a query without being properly sanitized, it may be possible to escape the boundaries of the user input string to the parent query and manipulate it to change its intended purpose.

INJECTION ATTACKS

• OS Command Injection: occurs when user input is directly used as part of an OS command.

• Code Injection: occurs when user input is directly within a function that evaluates code.

• SQL Injections: occurs when user input is directly used as part of an SQL query.

• Cross-Site Scripting/HTML Injection: occurs when exact user input is displayed on a web page.

MITIGATION

• avoid using functions that execute system commands, especially if we are using user input with them

• use built-in functions that perform the needed functionality instead of using system command execution functions

• never directly use the user input to execute a system commands

• always validate and sanitize the user input on the back-end and the front-end

  • input sanitization means removing any non-necessary special characters from the user input. Input sanitization is always performed after input validation

• always run the web server with a low privileged user (e.g. www-data) instead of root

  • this reduces the impact in the event that the webserver is compromised