T0118 - Command injection

OS command injection is a web security vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running an application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

ID: T0118
Type: Technique
Tactic: Execution
Summary: Command injection
State: draft

Mitigations

id

type

summary

description

M1180
Mitigation
Avoid calling OS commands directly
Built-in library functions are a very good alternative to OS Commands, as they cannot be manipulated to perform tasks other than those it is intended to do. For example use mkdir() instead of system("mkdir /dir_name"). If there are available libraries or APIs for the language you use, this is the preferred method.
M1181
Mitigation
Use parametrization with input validation
If calling a system command that incorporates user-supplied cannot be avoided, the following two layers of defense should be used within software to prevent attacks. 1. Parametrization: If available, use structured mechanisms that automatically enforce the separation between data and command. These mechanisms can help provide the relevant quoting and encoding. 2. Input validation: The values for commands and the relevant arguments should be both validated. There are different degrees of validation for the actual command and its arguments. When it comes to the commands used, these must be validated against a list of allowed commands.
M1182
Mitigation
Implement least privilege
Ensure that the application runs with the least privileges necessary to perform its tasks. Avoid running the application with excessive privileges or as the root/administrator user, as this can potentially allow an attacker to gain unauthorized access to the entire system.
M1720
Mitigation
Implement regular patches and updates
Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems. They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.

Detections

id

type

summary

description

D1170
Detection
Configure application audit logs to detect injection attacks
Audit logs can help you to monitor application traffic in order to detect injection attacks. Audit logs can be configured on multiple layers, for example you can enable access logging for a web server or use your custom application events. Monitor for SQL-like, javascript code, shell command constructions inside the application requests, also check for multiple error events in application logs. Create an allow-list of commands and monitor for the attempts of using the commands out of this list.
D1171
Mitigation
Implement Web Application Firewall
A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks. A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.

References

  1. https://owasp.org/www-community/attacks/Command_Injection
  2. https://portswigger.net/web-security/os-command-injection