Introduction


Welcome to the Whitebox Pentesting 101: Command Injection module!

When we begin a Whitebox Pentesting exercise, we start by reviewing the codebase and analyzing it for vulnerabilities, as learned in the Secure Coding 101 module. Once we identify a potential vulnerability, we start our attempts to exploit it, through planning, local debugging, and eventually exploitation, which is what we will cover in this module.

In this module, we will discuss four main topics, as follows:

  1. Code Review 'highlights'

  2. Command Injection

  3. Local Debugging

  4. Exploitation

For example, we can imagine that our client has invited us to their site and asked us to analyze the application's code and check for vulnerabilities. One of the most common vulnerabilities in newly written code is the Command Injection vulnerability. These vulnerabilities are mostly caused by the inattention and time pressure that the developers have to endure during the development process.

This often results in solving complex processes as simple as possible, which leads to functions not being written correctly, allowing certain types of privilege escalation or breakouts. Some functions are then written in such a way that they execute internal system commands. Our goal is to identify these vulnerabilities during the Whitebox penetration test.