OS Command Injection (CWE-78)
CWE-78 describes OS Command Injection Injection as follows:
“The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.”
According to the OWASP, “Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation”.
The impact of command injection attacks ranges from loss of data confidentiality and integrity (such as accessing resources without proper privileges) to unauthorized remote access to the system that hosts the vulnerable application (being able to perform malicious actions such as delete files, add new users, etc.).
Unlike other injection attacks based on specific languages, command injection attacks can occur in any OS (windows and unix-based) and affect any programming language that might call OS commands (C/C++, Java, PHP, etc.).
Obviously, first remediation should go in the direction of using API calls instead of external commands (if possible) or to ensure that the application runs under a non-privileged account with rights for the intended commands.
Anyway, the main reason that an application is vulnerable to command injection attacks is due to incorrect or complete lack of input data validation by the application itself. Therefore, sanitization of user input should also be done.
In case of a web app, the URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option, but it may be difficult to think of all of the characters to validate against. A better approach would be based on creating a “white list” containing only allowable characters or command list to validate the user input.
OS Command Injection (CWE-78) coverage by Kiuwan
In Kiuwan, you can search rules covering OS Command Injection (CWE-78) filtering by Vulnerability Type (“Injection”) and/or by CWE tag (“CWE:78”).
Kiuwan incorporates next rules for OS Command Injection (CWE-78) for the following languages. Please, visit the documentation page for every rule to obtain detailed information on functionality, coverage, parameterization, remediation, example codes, etc.
Language | Rule code |
Abap | OPT.ABAP.SEC.CommandInjection |
C | OPT.C.CERTC.ENV04 |
OPT.C.CERTC.STR02 | |
C# | OPT.CSHARP.CommandInjection |
C++ | OPT.CPP.CERTC.ENV04 |
OPT.CPP.CERTC.STR02 | |
Cobol | OPT.COBOL.SEC.OSCommandInjection |
Java | OPT.JAVA.SEC_JAVA.CommandInjectionRule |
Javascript | OPT.JAVASCRIPT.CommandInjection |
Objective-C | OPT.OBJECTIVEC.DoNotUseSystem |
PHP | OPT.PHP.CommandInjection |
Python | OPT.PYTHON.SECURITY.CommandInjection |
RPG IV | OPT.RPG4.SEC.OSCommandInjection |
Swift | OPT.SWIFT.SECURITY.CommandInjection |