Command Injection

What can I do here?

Use this window to configure the web server's level of protection against Command injection.

Understanding Command Injection

Attack Description

Command injection attacks allow a remote attacker to execute operating system commands disguised as a URL or form input to a Web server. A successful system command execution can provide a remote attacker with administrative access to a Web server. This could result in damage such as defacement of the Web site, data theft, or data loss.

Web Security Protection

Web Security looks for the presence of system commands in Web forms and URLs sent to a protected server. The protection looks for several categories of commands: distinct system commands, non-distinct system commands, and special system characters (e.g.,;[ ]<>&\t). Strings that are unique to system commands, not likely to appear in common language, and often used in command injection are considered distinct (e.g., "chown", "regsvr32", etc.), while strings that may appear in common language are considered non-distinct (e.g., "format", "convert", etc.).

Command Injection Options

Note - The security level can be set in this window only when the Protection Scope is set to Apply to all HTTP traffic.

• High - Rejects forms that contain special Shell characters, distinct Shell commands, or non-distinct Shell commands in the HTTP Request body and in the path and query sections of the URL, even within variable names. For example, the following will be blocked because of the presence of the string "arp", which is a command: http://www.server.com/search?execarp2=x+y+z. 
• Medium - Rejects forms that contain special Shell characters, distinct Shell commands, and non-distinct Shell commands in the HTTP Request body and in the path and query sections of the URL.
• Low - Rejects forms that contain special Shell characters and distinct Shell commands in the HTTP Request body and in the path and query sections of the URL.