Attacking the Server Using Injectinog-based Flaws
components likely to attack
Components Injection flaws Operation system shell Command injection Relational database(RDBMS) SQL injection Web browser XSS attack LDAP directory LDAP injection XML XPATH injection Command injection
identifying parameters to inject data:when testing a web application for command injection flaw and have identified that the applicaion is interacting with the command line of the underlying the application OS,the next step should be to manipulate and probe the different parameters in the applicaion injection flaws,as the application may be using one of these parameters to build a command back at the web server:
- GET:input parameters are sent in URLs.Any user-controlled parameter sent using the GET method request should be tested.
- POST:input parameters are sent in HTTP body.
HTTp header:Applications ofter use header fields to identify end users and display customized information to the user depending on the value in the headers.Some of the important header fields to check for command injection :
- Cokkies
- X-Forwarded-For
- User-agent
- Referrer
<