Mitigating Command Injection
Mitigation Recommendations for Command Injection Vulnerability
In this post, we will be covering the ways available to mitigate the command injection vulnerability.
Firstly, we will go through the standard practices that are generally used for mitigating the command injection vulnerabilities, followed by we will be covering how the vulnerability has been fixed in the DVWA application.
Avoid Calling OS Command Directly
One of the most effective ways is to avoid calling all the system commands directly by taking from the user input.
Using the built-in library functions is a good option, as it performs the tasks intended without tampering.
In our command injection examples, the application takes the domain name, and IP address then followed by we could append the additional system commands. The application doesn't filter and is directly passed on to the server for execution.
If you were able to view the source code, the "shell_exec()" function in PHP is being used for taking all our user inputs and passing them to the server.
shell_exec( 'ping -c 4 ' . USER_INPUT ); The escapeshellcmd() or escapeshellarg() can be used instead of "shell_exec()" to prevent command injection. What it does is, it passes everything within a single quote ensuring to run all of one text rather than breaking it into multiple commands.
If you think, in your current scenario you can not avoid it but that's the only way to go ahead. then there are other ways to mitigate it.
Whitelisting
As we covered whitelisting earlier. Whitelisting is an approach of letting only what you trust and rejecting all the unknown.
- Allowing only the valid characters, like small case letters, upper case letters, and numerics.
- Limiting only the special characters which are supposed to be used. (say, allow period "." and reject all)
- Only allowing the system command that the user is supposed to use.
In the command injection "high" example, we say the blacklisting is being used to filter a lot of characters, where the '| ' OR and SPACE operator are being filtered than of "|" only OR operator.
Blacklisting can be used but is more of an error-prone approach.
Strong Input Validation
Validating the inputs in conjunction with whitelisting provides a strong defense.
Treating every input from the client can be tampered with, verifying the inputs and ensuring it is clean from all types of malicious payloads.
A parameterization is an option where the command and the input data can be segregated using a structured mechanism. This helps in quoting the input data before processing.
Never escape the user input with metacharacters directly as it is more error-prone.
Additionally, the Regular Expressions can also be used for filtering the input before processing.
Least Privilege User Account
Use a user account with minimal privileges to execute the needed system operations on the server rather than one having admin privileges.
Command Injection - Fix (DVWA)
Let's see how the vulnerability was fixed in the DVWA application.
Log into the DVWA application and set the security level to "Impossible".
Navigate to the "Command Injection" and click on the "View Source" button at the bottom.
Note, only the partial code is displayed below.
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
// Determine OS and execute the ping command.In the above screenshot, the developer now has removed all types of blacklisting approaches and moved to a whitelist.
At the moment, only numeric IP addresses and a special character of a dot are allowed and reject all the other input.
This reduces the attack surface to a greater extent for exploitation.
More information about the mitigation techniques can be found on the OWASP website.
I Hope, Now you can secure your web applications from the command injection vulnerabilities. Thank you! :)