Remote OS Command Injection alert.

[Mahesh Joshi]

Hi All we have recently used ZAP for security testing for our site.And report showing "Remote OS Command Injection"

alert with description as below,

"Description Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs."

    URL - ~/for-employees/travel?query=query%26sleep+15%26

    Method - GET

    Parameter - query

    Attack query&sleep 15&

Our site is in .net with Kentico CMS. Please let us know if any body have resolved above issue.

[Ailton Caetano]

Hi Mahesh,

  if the page where the vulnerability was reported was developed by your team, then you should take a look at the source code to have a better picture on how the bug works and a better chance at solving it.

  If you need help, you should look inside Kentico's documentation or maybe ask for assistance in their Github (https://github.com/Kentico).

Regards,

Ailton Caetano

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/57344ee3-82c4-4fec-a2d8-39a87f67834e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.