Remote OS Command Injection

Reference

Plugin Id: 90020 | CWE: 78

Resource

https://www.stackhawk.com/blog/command-injection-python

Remediation

When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.

About

Most OS Command Injection problems stem from input from the user not being sanitized and or being passed directly to the operating system running the application. Interacting with the operating system is sometimes required, but should never pass user input as a command, parameter, output, etc.

Risks

An attacker can use OS command injection to retrieve information and files from the system. This information can be used to install additional software, and launch additional attacks against the application or other infrastructure.