Reading time: 10 minutes
OS Command Injection is a form of shell injection attack, mostly used for execution of unauthorized OS commands in the operating system (OS) to target the system (usually a web server) and degrade its performance. In this attack, the hacker aims to find and exploit some of the vulnerable applications to gain the unauthorized access on the host operating system. In the particular attack, the hacker can alter or corrupt a database or even steal the customer records and launch a Distributed Denial of Service (DDoS) attack in some of the cases.
Procedure For The Attack
- In the attack, the hacker first tries to find some critical loopholes in the targeted web application.
- Then using that vulnerability, the hacker inserts the malicious code into the OS of the host server and tries to gain any functionality which the primary application offers.
- The hacker further injects the unwanted system level command via user-supplied data such as forms or cookies through the vulnerable application to retrieve the information of a web server or to make unauthorized access into the server.
Mitigation For The Attack
Never call out to OS commands from application-layer code and also use the strong server-side validation for all user inputs. Implement an white list for all the accepted commands to avoid the attack. Also, Disable the access of the application which is compromised.