How to reproduce remote os command injection finding from ZAP?

[Christian]

HI everybody,

we are using ZAP for testing our hybris application. 

It shows 6 times a os command injection, but I am not able to reproduce this error. 

Zap reports the error for a GET requests to a js file resource.

Alert 1 from ZAP:

URL: <path_to_js_file>

Parameter: Host

Attack: <servername>:sleep 15

Alert 2 from ZAP:

URL: <path_to_js_file>

Parameter: Referer

Attack: <referer>:sleep 15

I always get the same js file as response no matter if in resend the Attack or the original request.

I even will get no other response if I change sleep 15 to for example "ls".

Why Zap shows this finding? Can someone explain me how to reproduce the alert and why ZAP think that remote os commands are possible? 

Thanks and greetings,

Christian

[guttula]

In this case the payload is testing for timig-based command injection. The expected result is to have a response time that is more than 15 seconds due to the sleep command executing. If resending a similar query does not make the response time significantly longer (15 seconds), then it's possible that this is a false positive. If the response time is close to the number of seconds that you're trying to sleep, then it's possible there is a command execution in the parameter.

Timing based OS command injections often have false positives if the service has been under too much traffic during scans.  Since heavy traffic makes respose times longer it mgiht seem that 'sleep 15' has been executed in the backend when in reality it's just been due to the load.