Title: Linux_Command_Injection Vulnerability on PUT:/api/v1/primary-account/deposit-amount/{id}
Project: Sanity 7th July
Description:
Assertion
Name: Linux Injection ( 1 )
Overview: Linux Injection is an attack in which the attacker is able to execute OS commands on the hosting server via vulnerable application. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Severity: Command Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is ranked at 8th position in 2019 OWASP API Top 10 ( 2 ) and consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 3 ). Command Injection is rated at 11th position in the CWE / SANS Top 25 ( 4 ).
Vulnerability Impact: Command injection is treated under the “Attack” category, in which the attacker extends the default functionality of the application, which executes system commands.
Upload of malicious program or even obtain password
Fully compromise the hosting application
Can compromise other parts of hosting infrastructure exploiting trust relationship
Exploitation: Command Injection vulnerabilities typically occur when
Data enters the application from an untrusted source.
The data is part of a string that is executed as a command by the application.
By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Remediation: Strong input validation must be performed for user supplied input ( 5 ). Also follow the input validation cheat sheet from OWASP
Use an "accept known good" input validation strategy. Reject input not strictly conforming to specifications
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules
Do not rely exclusively on looking for malicious or malformed inputs
Title: Linux_Command_Injection Vulnerability on PUT:/api/v1/primary-account/deposit-amount/{id} Project: Sanity 7th July Description:
Assertion Name: Linux Injection ( 1 )
Overview: Linux Injection is an attack in which the attacker is able to execute OS commands on the hosting server via vulnerable application. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Severity: Command Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is ranked at 8th position in 2019 OWASP API Top 10 ( 2 ) and consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 3 ). Command Injection is rated at 11th position in the CWE / SANS Top 25 ( 4 ).
Vulnerability Impact: Command injection is treated under the “Attack” category, in which the attacker extends the default functionality of the application, which executes system commands.
Risk: Linux_Command_Injection Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/primary-account/deposit-amount/12345 Environment: Master Playbook: ApiV1PrimaryAccountDepositAmountIdPutBodyParamLinuxCommandInjection Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 00:43:47 [D] [AVPADAIPBPLCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/primary-account/deposit-amount/12345] 00:43:47 [D] [AVPADAIPBPLCInjection] : Method [PUT] 00:43:47 [D] [AVPADAIPBPLCInjection] : Authorization [Default] 00:43:47 [D] [AVPADAIPBPLCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:43:47 [D] [AVPADAIPBPLCInjection] : Request [{ "accountBalance" : "1433871904", "accountNumber" : "1433871904", "accountType" : "CREDIT", "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "version" : "" }] 00:43:47 [D] [AVPADAIPBPLCInjection] : Status code [200] 00:43:47 [D] [AVPADAIPBPLCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=NTNlNDRiYmUtN2RmOS00YTUwLThhNWMtNTc5MGUyZWViZjZm; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 14 Sep 2021 00:43:46 GMT"]] 00:43:47 [D] [AVPADAIPBPLCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-14T00:43:46.848+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : null, "value" : "invalid account type" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:43:47 [D] [AVPADAIPBPLCInjection] : Response time [2039] 00:43:47 [D] [AVPADAIPBPLCInjection] : Response size [196] 00:43:47 [I] [AVPADAIPBPLCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [2039 < 7000 OR 200 == 400] result [Passed] 00:46:03 [D] [AVPADAIPBPLCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/primary-account/deposit-amount/12345] 00:46:03 [D] [AVPADAIPBPLCInjection] : Method [PUT] 00:46:03 [D] [AVPADAIPBPLCInjection] : Authorization [Default] 00:46:03 [D] [AVPADAIPBPLCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:46:03 [D] [AVPADAIPBPLCInjection] : Request [{ "accountBalance" : "2088487068", "accountNumber" : "2088487068", "accountType" : "CREDIT", "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "version" : "" }] 00:46:03 [D] [AVPADAIPBPLCInjection] : Status code [200] 00:46:03 [D] [AVPADAIPBPLCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=NTczMDg2YzItZGY2MS00YjI2LTg3MDQtMTljZmQ1M2JkMzNl; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Tue, 14 Sep 2021 00:46:02 GMT"]] 00:46:03 [D] [AVPADAIPBPLCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-14T00:46:02.973+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : null, "value" : "invalid account type" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:46:03 [D] [AVPADAIPBPLCInjection] : Response time [134799] 00:46:03 [D] [AVPADAIPBPLCInjection] : Response size [196] 00:46:03 [E] [AVPADAIPBPLCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [134799 < 7000 OR 200 == 400] result [Failed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c4a8d633c7/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/environments/8a8093567a8012b6017a803bf3181500/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/profiles/8a8093567a8012b6017a803c070d16cb/runs/8a8094e27bce7d6d017be1c0ae8030e8
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/playbooks/ApiV1PrimaryAccountDepositAmountIdPutBodyParamLinuxCommandInjection
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017be1c4a8d633c7/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---