Introduction to OS Command Injections (2020)

Welcome to this course on OS Command Injections! OS Command Injections are part of the OWASP Top 10 Web Application Security Risks, and as you will see in this course, this threat can result in serious damages if left unchecked.

We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of command injections and learn about techniques that can be used to exploit vulnerable targets. After that, we go full-on offensive and perform manual injection attacks as well as automated attacks with a tool called Commix.

Once we find vulnerabilities, we generate and plant persistent backdoors that can be exploited to create shells, giving us access to the target server any time we want.

After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the application layer. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections.

Please note: Performing these attacks on environments you do not have explicit permissions for is illegal and will get you in trouble. That is not the purpose of this course. The purpose is to teach you how to secure your own applications, and it will provide the steps needed to create your own personal, safe, and legal environments to exploit for learning purposes.

———————–

Topics we will cover together:

1. How to set up a Kali Linux Virtual Machine for free

2. How to configure and create safe & legal environments using Docker containers inside of Kali

3. A quick command line refresher

4. An explanation of what OS Command injections are and how they work

5. OS Command injection techniques

6. How to perform OS Command injections by hand

7. How to perform OS Command injections with automated tools (Commix)

8. How to defend against injections at the application layer

9. How to find vulnerabilities by looking at code

10. Proper coding techniques to prevent OS Command Injections

———————–

Requirements:

To understand how OS Command injections work and how to perform them as well as defend against them, you must have:

• Experience working with web applications

• Experience with OS commands (Linux or Windows)

Suggestion: You may also wish to take our free Introduction to Application Security (AppSec) course to familiarize yourself with the concepts of Application Security, and we have an SQL Injection course available for free as well on Udemy.

———————–

Instructor

My name is Christophe Limpalair, and I have helped thousands of individuals pass IT certifications and learn how to use the cloud for their applications. I got started in IT at the age of 11 and unintentionally fell into the world of cybersecurity.

As I developed a strong interest in programming and cloud computing, my focus for the past few years has been training thousands of individuals in small, medium, and large businesses (including Fortune 500) on how to use cloud providers (such as Amazon Web Services) efficiently.

I’ve taught certification courses such as the AWS Certified Developer, AWS Certified SysOps Administrator, and AWS Certified DevOps Professional, as well as non-certification courses such as Introduction to Application Security (AppSec), Lambda Deep Dive, Backup Strategies, and others.

Working with individual contributors as well as managers, I realized that most were also facing serious challenges when it came to cybersecurity.

Digging deeper, it became clear that there was a lack of training for AppSec specifically. It’s time to take security into our own hands and to learn how to build more secure software in order to help make the world a safer place! Join me in the course, and we’ll do just that!

I welcome you on your journey to learning more about OS Command injections, and I look forward to being your instructor!