1. Authentication
- Brute Force
- Insufficient Authentication
- Weak Password Recovery Validation
2. Authorization
- Credential/Session Prediction
- Insufficient Authorization
- Insufficient Session Expiration
- Session Fixation
3. Client-side Attacks
- Content Spoofing
- Cross-site Scripting
4. Command Execution
- Buffer Overflow
- Format String Attack
- LDAP Injection
- OS Commanding
- SQL Injection
- SSI Injection
- XPath Injection
5. Information Disclosure
- Directory Indexing
- Information Leakage
- Path Traversal
- Predictable Resource Location
6. Logical Attacks
- Abuse of Functionality
- Denial of Service
- Insufficient Anti-automation
- Insufficient Process Validation
|
|
OS Commanding
OS Commanding is an attack technique used to exploit web sites by
executing Operating System commands through manipulation of
application input.
When a web application does not properly sanitize user-supplied
input before using it within application code, it may be possible to trick
the application into executing Operating System commands. The
executed commands will run with the same permissions of the
component that executed the command (e.g. Database server, Web
application server, Web server, etc.).
Example
Perl allows piping data from a process into an open statement, by
appending a '|' (Pipe) character onto the end of a filename.
Pipe character examples:
# Execute "/bin/ls" and pipe the output to the open
statement
open(FILE, "/bin/ls|")
Web applications often include parameters that specify a file that is
displayed or used as a template. If the web application does not
properly sanitize the input provided by a user, an attacker may
change the parameter value to include a shell command followed by
the pipe symbol (shown above).
If the original URL of the web application is:
http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt
Changing the template parameter value, the attacker can trick the
web application into executing the command /bin/ls:
http://example /cgi-bin/showInfo.pl?name=John&template=/bin/ls|
Most scripting languages enable programmers to execute Operating
System commands during run-time, by using various exec functions.
If the web application allows user-supplied input to be used inside
such a function call without being sanitized first, it may be possible for
an attacker to run Operating System commands remotely. For
example, here is a part of a PHP script, which presents the contents
of a system directory (on Unix systems):
Execute a shell command:
exec("ls -la $dir",$lines,$rc);
By appending a semicolon (;) followed by an Operating System
command, it is possible to force the web application into executing
the second command:
http://example/directory.php?dir=%3Bcat%20/etc/passwd
The result will retrieve the contents of the /etc/passwd file.
References
"Perl CGI Problems", By RFP - Phrack Magazine, Issue 55
http://www.wiretrip.net/rfp/txt/phrack55.txt
(See "That pesky pipe" section)
"Marcus Xenakis directory.php Shell Command Execution Vulnerability"
http://www.securityfocus.com/bid/4278
"NCSA Secure Programming Guidelines"
http://archive.ncsa.uiuc.edu/General/Grid/ACES/security/programming/#cgi
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second OS Commanding attack vulnerability test.
|