WHAT IS COMMAND INJECTION?
With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system. Command injection is made possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
What are Command Injection Vulnerabilities?
Command injection vulnerabilities are most often found in older, legacy code, such as CGI scripts. By identifying a critical vulnerability, attackers can insert malicious code in an application, gaining functionality and ultimately executing specific commands that infect the targeted user and system networks. Under this attack, functionality on the application server can be modified and invoked. With unauthorized access to data, an account can add additional commands and potentially take complete control of the web server’s host operating system.
Command injection was one of the top 10 vulnerability attack for Summer 2019, according to Contrast Security’s AppSec Threat Intelligence Report.
During September–October 2020 .NET applications saw an increased rate of attacks. Command Injection attacks comprised the largest change, with 98% of applications targeted in September–October as compared to 57% in July–August.