Title: Windows_Command_Injection Vulnerability on POST:/api/v1/products
Project: Sanity 7th July
Description:
Assertion
Name: Windows Injection ( 1 )
Overview: Windows Injection is an attack in which the attacker is able to execute OS commands on the hosting server via vulnerable application. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Severity: Command Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is ranked at 8th position in 2019 OWASP API Top 10 ( 2 ) and consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 3 ). Command Injection is rated at 11th position in the CWE / SANS Top 25 ( 4 ).
Vulnerability Impact: Command injection is treated under the “Attack” category, in which the attacker extends the default functionality of the application, which executes system commands.
Upload of malicious program or even obtain password
Fully compromise the hosting application
Can compromise other parts of hosting infrastructure exploiting trust relationship
Exploitation: Command Injection vulnerabilities typically occur when
Data enters the application from an untrusted source.
The data is part of a string that is executed as a command by the application.
By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Remediation: Strong input validation must be performed for user supplied input ( 5 ). Also follow the input validation cheat sheet from OWASP
Use an "accept known good" input validation strategy. Reject input not strictly conforming to specifications
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules
Do not rely exclusively on looking for malicious or malformed inputs
Title: Windows_Command_Injection Vulnerability on POST:/api/v1/products Project: Sanity 7th July Description:
Assertion Name: Windows Injection ( 1 )
Overview: Windows Injection is an attack in which the attacker is able to execute OS commands on the hosting server via vulnerable application. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.
Severity: Command Injection is classified under the category of “Injection Attacks” by OWASP. “Injection Attacks” is ranked at 8th position in 2019 OWASP API Top 10 ( 2 ) and consistently rated at Top 1 Category of Attack by OWASP in years 2010, 2013 and 2017 ( 3 ). Command Injection is rated at 11th position in the CWE / SANS Top 25 ( 4 ).
Vulnerability Impact: Command injection is treated under the “Attack” category, in which the attacker extends the default functionality of the application, which executes system commands.
- Upload of malicious program or even obtain password
- Fully compromise the hosting application
- Can compromise other parts of hosting infrastructure exploiting trust relationship
Exploitation: Command Injection vulnerabilities typically occur when- Data enters the application from an untrusted source.
- The data is part of a string that is executed as a command by the application.
- By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Remediation: Strong input validation must be performed for user supplied input ( 5 ). Also follow the input validation cheat sheet from OWASP- Use an "accept known good" input validation strategy. Reject input not strictly conforming to specifications
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules
- Do not rely exclusively on looking for malicious or malformed inputs
References:Risk: Windows_Command_Injection Severity: Critical API Endpoint: http://95.217.118.53:8080/api/v1/products Environment: Master Playbook: ApiV1ProductsPostBodyParamWindowsCommandInjection Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 00:50:03 [D] [AVPPBPWCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/products] 00:50:03 [D] [AVPPBPWCInjection] : Method [POST] 00:50:03 [D] [AVPPBPWCInjection] : Authorization [Default] 00:50:03 [D] [AVPPBPWCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:50:03 [D] [AVPPBPWCInjection] : Request [{ "createdBy" : "", "createdDate" : "", "description" : " && powershell Start-Sleep -s 7 && ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " && powershell Start-Sleep -s 7 && ", "org" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " && powershell Start-Sleep -s 7 && ", "version" : "" }, "refId" : " && powershell Start-Sleep -s 7 && ", "version" : "" }] 00:50:03 [D] [AVPPBPWCInjection] : Status code [200] 00:50:03 [D] [AVPPBPWCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mjk5YmEyNGEtZjVkZC00ZWM5LWI3ZDgtMTEzNmQ0Mjk2NzUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 16 Sep 2021 00:50:02 GMT"]] 00:50:03 [D] [AVPPBPWCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-16T00:50:03.470+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:50:03 [D] [AVPPBPWCInjection] : Response time [2556] 00:50:03 [D] [AVPPBPWCInjection] : Response size [306] 00:50:03 [I] [AVPPBPWCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [2556 < 7000 OR 200 == 400] result [Passed] 00:50:27 [D] [AVPPBPWCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/products] 00:50:27 [D] [AVPPBPWCInjection] : Method [POST] 00:50:27 [D] [AVPPBPWCInjection] : Authorization [Default] 00:50:27 [D] [AVPPBPWCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:50:27 [D] [AVPPBPWCInjection] : Request [{ "createdBy" : "", "createdDate" : "", "description" : " && timeout 7 && ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " && timeout 7 && ", "org" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " && timeout 7 && ", "version" : "" }, "refId" : " && timeout 7 && ", "version" : "" }] 00:50:27 [D] [AVPPBPWCInjection] : Status code [200] 00:50:27 [D] [AVPPBPWCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=N2VjYWJmNDAtZWU3Zi00YzNmLWEzOGQtMmNkYWE0NmU1M2Fh; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 16 Sep 2021 00:50:05 GMT"]] 00:50:27 [D] [AVPPBPWCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-16T00:50:05.860+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:50:27 [D] [AVPPBPWCInjection] : Response time [23941] 00:50:27 [D] [AVPPBPWCInjection] : Response size [306] 00:50:27 [E] [AVPPBPWCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [23941 < 7000 OR 200 == 400] result [Failed] 00:50:30 [D] [AVPPBPWCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/products] 00:50:30 [D] [AVPPBPWCInjection] : Method [POST] 00:50:30 [D] [AVPPBPWCInjection] : Authorization [Default] 00:50:30 [D] [AVPPBPWCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:50:30 [D] [AVPPBPWCInjection] : Request [{ "createdBy" : "", "createdDate" : "", "description" : " || timeout 7 || ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " || timeout 7 || ", "org" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " || timeout 7 || ", "version" : "" }, "refId" : " || timeout 7 || ", "version" : "" }] 00:50:30 [D] [AVPPBPWCInjection] : Status code [200] 00:50:30 [D] [AVPPBPWCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=MDBjYTBlZjUtMTdiNy00OTU1LTliMDQtOGIxMjBhNjkxMTgy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 16 Sep 2021 00:50:29 GMT"]] 00:50:30 [D] [AVPPBPWCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-16T00:50:30.784+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:50:30 [D] [AVPPBPWCInjection] : Response time [3314] 00:50:30 [D] [AVPPBPWCInjection] : Response size [306] 00:50:30 [I] [AVPPBPWCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [3314 < 7000 OR 200 == 400] result [Passed] 00:50:32 [D] [AVPPBPWCInjection] : Endpoint [http://95.217.118.53:8080/api/v1/products] 00:50:32 [D] [AVPPBPWCInjection] : Method [POST] 00:50:32 [D] [AVPPBPWCInjection] : Authorization [Default] 00:50:32 [D] [AVPPBPWCInjection] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 00:50:32 [D] [AVPPBPWCInjection] : Request [{ "createdBy" : "", "createdDate" : "", "description" : " || powershell Start-Sleep -s 7 || ", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " || powershell Start-Sleep -s 7 || ", "org" : { "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : " || powershell Start-Sleep -s 7 || ", "version" : "" }, "refId" : " || powershell Start-Sleep -s 7 || ", "version" : "" }] 00:50:32 [D] [AVPPBPWCInjection] : Status code [200] 00:50:32 [D] [AVPPBPWCInjection] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=MDVhYWJiYzAtZDFmNS00YTE3LWFiZjAtMTcyNjIxNzEyYzQ5; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 16 Sep 2021 00:50:32 GMT"]] 00:50:32 [D] [AVPPBPWCInjection] : Response [{ "requestId" : "None", "requestTime" : "2021-09-16T00:50:32.719+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 00:50:32 [D] [AVPPBPWCInjection] : Response time [1939] 00:50:32 [D] [AVPPBPWCInjection] : Response size [306] 00:50:32 [I] [AVPPBPWCInjection] : Assertion [@ResponseTime < 7000 OR @StatusCode == 400] resolved-to [1939 < 7000 OR 200 == 400] result [Passed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017bec1570a67dc5/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/allScans
Environment: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/environments/8a8093567a8012b6017a803bf3181500/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/profiles/8a8093567a8012b6017a803c070d16cb/runs/8a8094e27bce7d6d017bec0d6681748f
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/playbooks/ApiV1ProductsPostBodyParamWindowsCommandInjection
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/categories
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8093567a8012b6017a803bf31114fd/dashboard/8a8094e27bce7d6d017bec1570a67dc5/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---