Remote OS Command Injection really happening?
930 views
Skip to first unread message
Albert Z
Jun 24, 2015, 4:13:05 PM6/24/15
to zaprox...@googlegroups.com
In a recent scan Remote OS Command Injection issues were identified. Upon analysis, the OS command "|Timout /T 5" was injected in values that are not in any way used on the server. The values are used on the browser and sent back because they are part of the model. After the request, the response is a 302 Found status code with a link that automatically redirects the browser. Using Fiddler I have injected several OS commands just to see if any reaction was given by the OS, but nothing. The values are not read from the post, they are not used on the server side.
If this would be real I would say, yes it is a high severity security issue. However, talking it through with the architect there is no way that these values are used in OS instructions.
My questions are:
- Why would a 302 response mean that there is an issue?
- What response does this test expect? What kind of response makes the test identify an issue? Where can I find more details about the test? A bit more than the text in the report.
- Without suppressing the test, can ZAP be configured to handle this test differently?
Regards,
Albert
thc...@gmail.com
Jun 25, 2015, 5:01:50 AM6/25/15
to zaprox...@googlegroups.com
Hi.
Which ZAP version are you using?
The "Remote OS Command Injection" scanner had an issue that caused time
related false positives. [1]
[1] https://github.com/zaproxy/zaproxy/issues/1592
Best regards.
On 24/06/15 21:13, Albert Z wrote:
> In a recent scan Remote OS Command Injection issues were identified.
> Upon analysis, the OS command "|Timout /T 5" was injected in values that
> are not in any way used on the server. The values are used on the
> browser and sent back because they are part of the model. After the
> request, the response is a 302 Found status code with a link that
> automatically redirects the browser. Using Fiddler I have injected
> several OS commands just to see if any reaction was given by the OS, but
> nothing. The values are not read from the post, they are not used on the
> server side.
>
> If this would be real I would say, yes it is a high severity security
> issue. However, talking it through with the architect there is no way
> that these values are used in OS instructions.
>
> My questions are:
>
> * Why would a 302 response mean that there is an issue?
> * What response does this test expect? What kind of response makes the
> test differently?
>
> Regards,
> Albert
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Which ZAP version are you using?
The "Remote OS Command Injection" scanner had an issue that caused time
related false positives. [1]
[1] https://github.com/zaproxy/zaproxy/issues/1592
Best regards.
On 24/06/15 21:13, Albert Z wrote:
> In a recent scan Remote OS Command Injection issues were identified.
> Upon analysis, the OS command "|Timout /T 5" was injected in values that
> are not in any way used on the server. The values are used on the
> browser and sent back because they are part of the model. After the
> request, the response is a 302 Found status code with a link that
> automatically redirects the browser. Using Fiddler I have injected
> several OS commands just to see if any reaction was given by the OS, but
> nothing. The values are not read from the post, they are not used on the
> server side.
>
> If this would be real I would say, yes it is a high severity security
> issue. However, talking it through with the architect there is no way
> that these values are used in OS instructions.
>
> My questions are:
>
> * What response does this test expect? What kind of response makes the
> test identify an issue? Where can I find more details about the
> test? A bit more than the text in the report.
> * Without suppressing the test, can ZAP be configured to handle this
> test? A bit more than the text in the report.
> test differently?
>
> Regards,
> Albert
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Albert Z
Jun 26, 2015, 12:59:18 PM6/26/15
to zaprox...@googlegroups.com
I am using 2.4.0 and get this issue. In a previous version I did not have this issue.
So, from the issue description I learn that if the response is too fast then it used to be a false positive. Well, from my load and performance testing I know that ours is not the fastest website ever.
How is this test related to response times?
What is the test expecting for response times?
Is it something like: first send the original request then send the attack and if the attack response takes more than 5 seconds longer than the original then the attack was successful?
Regards,
Albert
On Thursday, June 25, 2015 at 4:01:50 AM UTC-5, thc202 wrote:
On Thursday, June 25, 2015 at 4:01:50 AM UTC-5, thc202 wrote:
Hi.
kingthorin+owaspzap
Jun 26, 2015, 2:01:12 PM6/26/15
to zaprox...@googlegroups.com
Is it something like: first send the original request then send the attack and if the attack response takes more than 5 seconds longer than the original then the attack was successful?
Exactly.
Reply all
Reply to author
Forward
0 new messages