Detections
Analytics
Operating System Command Injection (Timing Attack)
Description
To perform specific actions from within a web application, it is occasionally required to run Operating System commands and have the output of these commands captured by the web application and returned to the client.
OS command injection occurs when user supplied input is inserted into one of these commands without proper sanitisation and is then executed by the server.
Cyber-criminals will abuse this weakness to perform their own arbitrary commands on the server. This can include everything from simple `ping` commands to map the internal network, to obtaining full control of the server.
By injecting OS commands that take a specific amount of time to execute, scanner was able to detect time based OS command injection. This indicates that proper input sanitisation is not occurring.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Web App Scanning | Web Applications | Authenticated Scan | HTTP/HTTPS | Command Injection | Plugin IDs: 98124 |
References
Attack Path Technique Details
Framework: OWASP
Family: Injection
Technique: Code Injection
Sub-Technique: Operating System Command Injection (Timing Attack)
Platform: Web Application
Products Required: Tenable Web App Scanning
Tenable Release Date: 2022 Q2