Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

software Security > Sins of Command Injection > Flashcards

Sins of Command Injection Flashcards

1
Q

When does command injection occur?

A

Command injection problems occur when untrusted data is placed into data that is passed to some sort of compiler or interpreter, where the data might, if it’s formatted in a particular way, be treated as something other than data. ​

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Example Windows Commmands

A

dir, cd, Ipconfig

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Example Linux Commands

A

Is, cd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the most important step to redemption?(Command Injection)

A

To validate user input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the road to redemption(Command)

A

1.Check the data to make sure it is okay. ​

  1. Take an appropriate action when the data is invalid. ​
  2. Run your application using least privilege. It usually isn’t very amusing to run arbitrary commands as “nobody” or guest.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name the three ways to determine Data Validity

A

The deny-list, The allow-list and The “quoting” approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Definition deny-list approach

A

The deny-list approach Look for matches demonstrating that the data is invalid, and accept everything else as valid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the first step to prevent command injection when handling input?

A

Perform input validation on all input before passing it to a command processor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Definition for allow-list approach

A

The allow-list approach Look for the set of valid data, and reject anything else (even if there’s some chance it wasn’t problematic). ​

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Definition for the “quoting” approach

A

The “quoting” approach Transform data so that there cannot be anything unsafe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How should you handle a failure in input validation?

A

Handle the failure securely if an input validation check fails.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a useful defense mechanism if your environment supports it?(command)

A

Use taint defenses if your environment supports it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What should you never do with unvalidated input?

A

Do not pass unvalidated input to any command processor, even if the intent is that the input will just be data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why should you avoid using a deny-list approach for input validation?

A

Because you cannot be 100 percent sure you are accounting for all possibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the recommended approach for writing input validators?

A

Consider avoiding regular expressions for input validation; instead, write simple and clear validators by hand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

software Security (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions