SIN 10COMMAND INJECTION
OVERVIEW OF THE SIN
In 1994 the author of this chapter was sitting in front of an SGI computer running IRIX that was simply showing the login screen. It gave the option to print some documentation, and specify the printer to use. The author imagined what the implementation might be, tried a nonobvious printer, and suddenly had an administrator window on a box the author not only wasn’t supposed to have access to, but also wasn’t even logged in to.
The problem was a command injection attack, where user input that was meant to be data actually can be partially interpreted as a command of some sort. Often, that command can give the person with control over the data far more access than was ever intended.
A variant on the ...
Get 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
