Operating System Command Injection (Timing Attack)

critical Web App Scanning Plugin ID 98124

Synopsis

Operating System Command Injection (Timing Attack)

Description

To perform specific actions from within a web application, it is occasionally required to run Operating System commands and have the output of these commands captured by the web application and returned to the client.

OS command injection occurs when user supplied input is inserted into one of these commands without proper sanitisation and is then executed by the server.

Cyber-criminals will abuse this weakness to perform their own arbitrary commands on the server. This can include everything from simple `ping` commands to map the internal network, to obtaining full control of the server.

By injecting OS commands that take a specific amount of time to execute, scanner was able to detect time based OS command injection. This indicates that proper input sanitisation is not occurring.

Solution

It is recommended that untrusted data is never used to form a command to be executed by the OS.
To validate data, the application should ensure that the supplied value contains only the characters that are required to perform the required action.
For example, where the form field expects an IP address, only numbers and periods should be accepted. Additionally, all control operators (`&`, `&&`, `|`, `||`, `$`, `\`, `#`) should be explicitly denied and never accepted as valid input by the server.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Plugin Details

Severity: Critical

ID: 98124

Type: remote

Published: 3/31/2017

Updated: 7/18/2022

Scan Template: api, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information