GCIH · Question #724
Inspecting developer code for functions like system, exec, and popen is recommended to reduce the likelihood of what type of public-facing attack?
The correct answer is C. Command Injection. Functions like system(), exec(), and popen() pass user-supplied input directly to the operating system shell, making them primary vectors for command injection vulnerabilities.
Question
Inspecting developer code for functions like system, exec, and popen is recommended to reduce the likelihood of what type of public-facing attack?
Options
- ASQL Injection
- BCross-Site Scripting
- CCommand Injection
- DServer-Side Request Forgery
How the community answered
(59 responses)- A2% (1)
- B2% (1)
- C93% (55)
- D3% (2)
Why each option
Functions like system(), exec(), and popen() pass user-supplied input directly to the operating system shell, making them primary vectors for command injection vulnerabilities.
SQL injection exploits unsanitized input passed to database query functions, not OS shell execution functions like exec() or popen().
Cross-site scripting involves injecting malicious scripts into web output rendered by a browser, not OS-level command execution functions.
Command injection occurs when an attacker supplies OS-level commands through application input that is passed unsanitized to shell execution functions such as system(), exec(), or popen(). Auditing developer code for these function calls identifies where user-controlled data may reach the OS shell. Eliminating or sanitizing these calls directly reduces the attack surface for command injection on public-facing applications.
Server-side request forgery exploits the server making HTTP requests to attacker-controlled endpoints, unrelated to shell execution functions.
Concept tested: Identifying command injection vulnerable code patterns
Source: https://owasp.org/www-community/attacks/Command_Injection
Topics
Community Discussion
No community discussion yet for this question.