nerdexam
GIAC

GCIH · Question #724

Inspecting developer code for functions like system, exec, and popen is recommended to reduce the likelihood of what type of public-facing attack?

The correct answer is C. Command Injection. Functions like system(), exec(), and popen() pass user-supplied input directly to the operating system shell, making them primary vectors for command injection vulnerabilities.

Web Application Attacks & Post-Exploitation

Question

Inspecting developer code for functions like system, exec, and popen is recommended to reduce the likelihood of what type of public-facing attack?

Options

  • ASQL Injection
  • BCross-Site Scripting
  • CCommand Injection
  • DServer-Side Request Forgery

How the community answered

(59 responses)
  • A
    2% (1)
  • B
    2% (1)
  • C
    93% (55)
  • D
    3% (2)

Why each option

Functions like system(), exec(), and popen() pass user-supplied input directly to the operating system shell, making them primary vectors for command injection vulnerabilities.

ASQL Injection

SQL injection exploits unsanitized input passed to database query functions, not OS shell execution functions like exec() or popen().

BCross-Site Scripting

Cross-site scripting involves injecting malicious scripts into web output rendered by a browser, not OS-level command execution functions.

CCommand InjectionCorrect

Command injection occurs when an attacker supplies OS-level commands through application input that is passed unsanitized to shell execution functions such as system(), exec(), or popen(). Auditing developer code for these function calls identifies where user-controlled data may reach the OS shell. Eliminating or sanitizing these calls directly reduces the attack surface for command injection on public-facing applications.

DServer-Side Request Forgery

Server-side request forgery exploits the server making HTTP requests to attacker-controlled endpoints, unrelated to shell execution functions.

Concept tested: Identifying command injection vulnerable code patterns

Source: https://owasp.org/www-community/attacks/Command_Injection

Topics

#command injection#secure code review#dangerous functions#OWASP

Community Discussion

No community discussion yet for this question.

Full GCIH Practice