Which vulnerability occurs when web input is passed to a system command without proper validation?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

Which vulnerability occurs when web input is passed to a system command without proper validation?

Explanation:
When untrusted user input directly influences a system command execution path without validation or proper escaping, an attacker can alter the command that runs on the server. This allows the attacker to run additional commands, potentially taking control of the host or accessing sensitive data. This vulnerability is known as Command Injection. This differs from other vulnerabilities in the list. A buffer overflow happens when too much data is written into memory, causing corruption or crashes rather than executing extra commands. SQL injection targets how data flows into a database query, allowing manipulation of the database itself. Cross-site scripting involves injecting malicious script into web pages viewed by other users, rather than affecting the server’s OS commands. A quick mental model: if a web app builds a shell command by appending user input and then executes it, the input can include shell operators or additional commands, causing the system to run unintended actions. To prevent this, avoid passing raw input to shell commands, use safe APIs that separate command and parameters, implement input validation and whitelisting, and run commands with the least privileges necessary.

When untrusted user input directly influences a system command execution path without validation or proper escaping, an attacker can alter the command that runs on the server. This allows the attacker to run additional commands, potentially taking control of the host or accessing sensitive data. This vulnerability is known as Command Injection.

This differs from other vulnerabilities in the list. A buffer overflow happens when too much data is written into memory, causing corruption or crashes rather than executing extra commands. SQL injection targets how data flows into a database query, allowing manipulation of the database itself. Cross-site scripting involves injecting malicious script into web pages viewed by other users, rather than affecting the server’s OS commands.

A quick mental model: if a web app builds a shell command by appending user input and then executes it, the input can include shell operators or additional commands, causing the system to run unintended actions. To prevent this, avoid passing raw input to shell commands, use safe APIs that separate command and parameters, implement input validation and whitelisting, and run commands with the least privileges necessary.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy