OS commanding is a method of attacking a Web server by remotely gaining access to the operating system (OS) and then executing system commands through a browser. Once access has been gained in this way, a hacker can upload programs to the compromised server and run them. OS commanding is similar to command injection, a scheme in which an attacker alters dynamically generated content on a Web page by entering HTML code into an input mechanism, such as a form field that lacks effective validation constraints.

The vulnerability of a server or other network-connected computer to OS commanding attacks can be minimized by:

• Blacklisting of forbidden character sequences.
• Whitelisting of allowed character sequences.
• Restricting permissions on OS commands.
• Filtering out command directory names.

According to security experts, the main reason that OS commanding and similar exploits are on the rise is that security is not sufficiently emphasized in the development of operating systems and applications. To protect the integrity of network servers, experts recommend the implementation of simple precautions during development, such as controlling the types and numbers of characters that are accepted by servers from users.

Read more about it:
>>	The Web Application Security Consortium provides examples of OS commanding.
>>	Sverre H. Huseby outlines some common security problems in dynamic Web applications.

Last updated on: Jul 31, 2006