Tag: Injection

OS Commanding Attacks: Injecting System Commands Through Web Applications

May 14, 2026

OS Commanding attacks compromise web applications by injecting Operating System commands through unsanitised input. The injected commands execute with the web server’s privileges — potentially giving the attacker access to the entire underlying OS and filesystem.

PHP Attack Example

http://example/directory.php?dir=%3Bcat%20/etc/passwd
# %3B = semicolon; shell reads: ls -la ; cat /etc/passwd
# Result: /etc/passwd contents returned to attacker

Perl Pipe Injection Example

http://example/cgi-bin/showInfo.pl?name=John&template=/bin/ls|
# Pipe character causes Perl's open() to execute /bin/ls

Prevention Techniques

  • Restrict OS Command Permissions: Apply least-privilege so the web server user cannot execute system commands maliciously.
  • Whitelist Allowed Characters: Input filter allowing only: !^[a-zA-Z/_-\.0-9]+$
  • Filter OS Command Paths: Block known OS command directories in output: /^(etc|bin|sbin|tmp|var|opt|dev|kernel)$/
  • Never pass unvalidated user input to shell execution functions (exec, system, popen).

XPath Injection Attacks: SQL Injection’s XML Counterpart

May 14, 2026

XPath Injection mirrors SQL Injection but targets XML databases. Unlike SQL, XPath enforces no ACLs — a successful injection can return the entire XML document. When user input is embedded directly in XPath queries without sanitisation, attackers can bypass authentication or extract all data.

Attack Example

Normal authentication query:

//user[id/text()='Mr. X' and password/text()='XYZ123']

After injecting ' or 'a' = 'a in the password field:

//user[id/text()='Mr. X' and password/text()='' or 'a' = 'a']
// Always evaluates to TRUE → authentication bypassed

ASP.NET Vulnerable Pattern

XPathExpression expr = nav.Compile(
  "string(//user[name/text()='" + TextBox1.Text +
  "' and password/text()='" + TextBox2.Text + "']/account/text())"
);
// If TextBox1.Text = "' or 1=1 or ''='"
// Returns ALL account numbers in the XML document

Prevention Guidance

  • Validate input on both client and server.
  • Strip all meta-characters: < > / ' = "
  • XPath queries must never contain user-controlled meta-characters (' = * ? //).
  • Deploy a Web Application Firewall (WAF) in front of the site.

Source: IBM SRM Tip #09.08.01 — Original date: 04 Aug 2009. Authored by Sasikanta Pradhan, CEH®, IBM Security Risk Management Operations Team — India/SA.