1
00:00:00,540 --> 00:00:08,280
The prerequisite for an OS command injection vulnerability to exist is that server-side, the application

2
00:00:08,280 --> 00:00:15,710
makes calls to the operating system through libraries, DLLs, components or functions.

3
00:00:16,290 --> 00:00:24,720
Such calls to the operating system become vulnerable if they involve passing invalid input

4
00:00:24,720 --> 00:00:25,590
arguments.

5
00:00:26,510 --> 00:00:35,240
The slide shows a possible example of server-side invocation of a script (which makes calls

6
00:00:35,240 --> 00:00:41,630
to the operating system) to which parameters, depend on user input, are passed.

7
00:00:45,280 --> 00:00:55,360
Malicious inputs could, for example, be executed by server side functions such as the C++ system()

8
00:00:55,360 --> 00:01:00,550
function or the PHP exec() function.

9
00:01:03,930 --> 00:01:14,400
Attackers may also make use of shell operators such as the pipe operator or the ampersand operator to

10
00:01:14,400 --> 00:01:19,590
exploit more efficiently the vulnerability from OS command injection.

11
00:01:22,720 --> 00:01:30,820
To test the presence of the vulnerability in black box mode, you can try to inject malicious inputs as

12
00:01:30,820 --> 00:01:36,310
a ping command that create a delay in the response of the web application.

13
00:01:36,910 --> 00:01:42,960
So if there is actually a delay, it means that the application is vulnerable.

14
00:01:45,970 --> 00:01:53,860
Remedies for OS command injection, are to avoid calling OS commands directly.

15
00:01:56,360 --> 00:02:05,120
And if the use of OS commands is unavoidable, make sure to validate the inputs from the requests

16
00:02:05,120 --> 00:02:09,800
to only a white list of possible values by discarding the rest.

17
00:02:14,000 --> 00:02:21,740
Furthermore, calls to system functions should be made with the least possible privileges.

18
00:02:26,320 --> 00:02:28,660
Thank you for your kind attention.