Remote OS Command Injection
124 views
Skip to first unread message
rshte...@gmail.com
Feb 21, 2021, 5:51:05 AM2/21/21
to OWASP ZAP User Group
Hi.
We have an ASP.Net application and when we run zap against our webAPI we got the High (Medium) alert of Remote OS Command Injection. our application does not pass use requests for outer operating system command and we do not use the System.Diagnostics.Process.Start() anywhere within our application. is this alert a False Positive?
Thanks
Simon Bennetts
Feb 22, 2021, 4:38:25 AM2/22/21
to OWASP ZAP User Group
Thats impossible for us to say without more information.
Can you share more details from the alert, obfuscating any sensitive information of course :)
Cheers,
Simon
Simon Bennetts
Feb 22, 2021, 5:23:18 AM2/22/21
to OWASP ZAP User Group
Ah, ok, so this is a timing attack.
These work by trying to inject a command which will sleep for a period of time, but default 15 seconds - if the response takes longer than 15 seconds then it could well indicate a vulnerability.
The probable is that ZAP puts a significant load on target systems so sometimes they take longer to respond.
Try increasing the sleep time via https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ruleconfig/ and run just that scan rule.
Cheers,
Simon
rshte...@gmail.com
Feb 22, 2021, 6:46:40 AM2/22/21
to OWASP ZAP User Group
Thank you Simon for your answer.
I have already tried to run the command on Postman with a larger sleep parameter and the response was not affected by that.
does that mean that the alert is not valid?
Simon Bennetts
Feb 22, 2021, 7:02:44 AM2/22/21
to OWASP ZAP User Group
Well, its difficult to be definitive without doing more testing, but it does sound like a false positive :)
rshte...@gmail.com
Feb 22, 2021, 7:07:04 AM2/22/21
to OWASP ZAP User Group
Thank you Simon.
I will make additional tests to check other OS Injections.
thank you for validating my thoughts.
Reply all
Reply to author
Forward
0 new messages