The designer will ensure the application does not allow command injection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16810 | APP3570 | SV-17810r1_rule | DCSQ-1 | High |
| Description |
|---|
| A command injection attack, is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. A command injection allows an attacker to execute their own commands with the same privileges as the application executing. Command injection allows immediate access to the system where the application is executing. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17808r1_chk ) |
|---|
| Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how command injection vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify command injection vulnerabilities, it is a finding. Examples of Command Injection vulnerabilities can be obtained from the OWASP website. *Note: Web services are subject to the same coding practices of other web application code (e.g., command injection). |
| Fix Text (F-17103r1_fix) |
|---|
| Modify the application to protect against command injection attacks. |