Name | Command Delimiters |
Summary | An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. |
Prerequisites | Software's input validation or filtering must not detect and block presence of additional malicious command. |
Solutions | Design: Perform whitelist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements. |
Related Weaknesses |
CWE ID | Description |
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
CWE-138 | Improper Neutralization of Special Elements |
CWE-140 | Improper Neutralization of Delimiters |
CWE-146 | Improper Neutralization of Expression/Command Delimiters |
CWE-154 | Improper Neutralization of Variable Name Delimiters |
CWE-157 | Failure to Sanitize Paired Delimiters |
CWE-184 | Incomplete List of Disallowed Inputs |
CWE-185 | Incorrect Regular Expression |
CWE-697 | Incorrect Comparison |
CWE-713 | OWASP Top Ten 2007 Category A2 - Injection Flaws |
|