OS Command Injection
Description
The application allows the execution of functions or methods which execute commands in the system with non-sanitized parameters. This action would allow an attacker to inject malicious commands in the server to highly increase the attack vectors by escalating privileges, obtaining or modifying sensitive information stored in the machine.
Impact
Inject malicious commands that will be executed in the server.
Recommendation
- If possible, do not use functions that execute commands in the system with inputs controlled by the user. - Validate all input parameters using regular expressions or whitelists before passing the parameters to critical functions.
Threat
Authenticated local attacker with access to the machine.
Expected Remediation Time
⏱️ 120 minutes.
Requirements
173 - Discard unsafe inputs265 - Restrict access to critical processes266 - Disable insecure functionalities344 - Avoid dynamic code executionRules
Ruby Eval Code InjectionDart Native Language Cmd InjectionPython Command Injection Concat StringC Sharp Process Start With Unvalidated InputPython Subprocess Command InjectionJava Unsafe Reflection InvocationKotlin Code Injection User InputC Sharp Compile From Untrusted InputGo Os Exec Command InjectionRuby Kernel Command InjectionScala Input Command InjectionRuby Command Injection Concat StringC Sharp Process Arguments Injection