Input Validation / OS Command Injection
OS command injection (CWE-78) is an injection attack technique used to execute arbitrary system commands on a vulnerable web or API application. It occurs when a user is able to inject malicious code into an input field of a web application or API in order to execute system commands on the server. It is one of the most dangerous web application vulnerabilities listed in the CWE Top 25 (2022) and is also included in the OWASP Testing Guide.
OS command injection can have devastating consequences to the affected system. It can enable attackers to gain access to sensitive data, modify or delete data, or even leverage the system to launch further attacks. It can also be used to gain access to the underlying system, allowing attackers to bypass authentication, modify system configurations, and even execute malicious code on the underlying system.
The best way to protect against OS command injection is to sanitize user input by using strict input validation. This ensures that all user input is stripped of any malicious code before being passed to the system. Additionally, all user input should be escaped to prevent malicious code from being executed. It is also recommended to use an authentication system to limit access to the application.
<?php $name = $_GET['name']; $name = escapeshellarg($name); system("echo hello $name); ?>
In the above example, the user input is first escaped using
escapeshellarg() to ensure that malicious code is not injected into the system.