T0118 - Command injection
OS command injection is a web security vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running an application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation
Summary: Command injection
Avoid calling OS commands directly
Built-in library functions are a very good alternative to OS Commands, as they cannot be manipulated to perform tasks other than those it is intended to do. For example use mkdir() instead of system("mkdir /dir_name"). If there are available libraries or APIs for the language you use, this is the preferred method.
Use parametrization with input validation
If calling a system command that incorporates user-supplied cannot be avoided, the following two layers of defense should be used within software to prevent attacks. 1. Parametrization: If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help provide the relevant quoting and encoding. 2. Input validation: The values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments. When it comes to the commands used, these must be validated against a list of allowed commands.
Implement least privilege
Ensure that the application runs with the least privileges necessary to perform its tasks. Avoid running the application with excessive privileges or as the root/administrator user, as this can potentially allow an attacker to gain unauthorized access to the entire system.
Implement regular patches and updates
Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems. They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.
Configure application audit logs to detect injection attacks
Implement Web Application Firewall
A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks. A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.