Lecture 15

Question 1

What is command injection?

Answer 1

An attack where the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Eg forms, cookies, http headers.

Question 2

What is blind command injection?

Answer 2

A command injection where the system does not return a visible output. Can be used the same as a regular command injection. These can be detetected by running time delay commands eg sleep and observing the delay.

Question 3

What is code injection?

Answer 3

Injections code into the program that is then interpreted/executed by the application. This differs from command injection in that an attacker is only limited by the functionality of the injected language itself.