- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
OS Commanding is a way of attacking a web server by remotely gaining access to the operating system (OS) and then executing system commands through a browser. The OS Commanding attack technique is typically used for unauthorized execution of operating system commands, aka OS Command Injection. OS Commanding is the direct result of mixing trusted code and untrusted data. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization and/or improper calling of external programs.
Once access has been gained, a hacker can upload programs to the compromised server and run them. In OS Commanding, executed commands by an attacker will run with the same privileges as the component that executed the command, (e.g., database server, web application server, web server, wrapper, application, etc.). Since the commands are executed under the privileges of the executing component, an attacker can leverage this to gain access or damage parts that are otherwise unreachable (e.g., the operating system directories and files).