Can someone explain to me the differences between OS injection an Operating system command injection?
My understanding is that both techniques take advantage of poor input validation.
My doubt is: does OS injection stand for Operating system injection?
Suppose a certain web site is vulnerable to user's supplied input.
So after some testing I'm able to get information about:
underlying operating system
type of server installed
Let's say we have Linux and Apache server.
Through an intercepting software which enables me to interact with the vulnerable site through GET requests (I mean I can modify GET parameters before they are sent) I then succeed in injecting ";ls"
Right, the site is vulnerable since I can see there are files.
So what I did is taking advantage of some bug in order to get access to the underlying operating system.
Is this an example of Os? Or I'd better call it Operating system command injection?
What would an example of Os be?
Sorry for my trivial question.
Thanks
They probably mean the same thing. Where did you come across these terms?
Related
Does anyone know of a scripting language that's included with most platforms (say Mac/Windows/Linux)? I haven't been able to find one. So far javascript in web browsers or compiled java are about it. Jython comes close.
My goal is to be able to download a file from the web or portable storage and just run it, without having to install something first, or have special user permissions, or edit it, or rename it, or give it executable privilages. It would give you access to generally accepted metaphors in computing: input, output, persistent storage, time, spawning tasks, sockets, fixed and floating point math, unicode, etc. Ideally it would abstract away minutia like line endings, endianness, and yielding for other processes.
I don't want to get into why having a universal language/virtual machine is important, or at the very least, useful. I feel that we are missing a middleware above the operating system level, something like POSIX but less esoteric, and without it, we all are forced to spend a disproportionate amount of time reinventing the wheel or writing special cases. For me, availability and a complete feature set are more important than speed (which could come later).
Thanks in advance for any insights you can provide,
Zack Morris
You will be able to run carefully written sh scripts on almost all unix systems.
If you want to add Microsoft systems, then it is more difficult, but still possible to provide a single script file, that will "autodetect" the interpreter it's running on and select between a sh part and a command.com or whatever they have on Microsoft systems.
Once you can run a script on a known system you can further download or unpack and install automatically whatever software you need.
Note: I'd appreciate some tag suggestions for this one..
I'd like to provide my users with a method of programmatically manipulating data on the server. This would be done by using an in-browser code editor to be executed at a later date, not dissimilar to the manner https://www.onx.ms employ.
I'd like to avoid writing a DSL (a barrier to adoption?), and would prefer the language that the user writes to be either JavaScript or Ruby based.
My obvious concern is security. I understand the perils of allowing user generated code to run server-side, but what steps can I take to eliminate the risk?
Do sites like http://railsforzombies.com actually use irb, or is it far simpler than that?
Would you consider Java (or other JVM languages such as JRuby, Scala, Clojure etc)? If so - there is a wealth of power in the JVM to restrict the privileges of a sandboxed app. See this other question for details: How do I create a Java sandbox?
Google Caja lets you safely embed user-specified Javascript in your website, but I think it might be aimed at running the code in the user's browser rather than on your server. I haven't used it myself.
I don't know if there are ready-made solutions for other languages, but I think a custom solution would involve recompiling the interpreter yourself after removing all API libraries that allow the user to write to disk, open network connections, fork processes/threads, and do any other dangerous or denial-of-service operation. Whitelisting "safe" libraries is the only approach that could work for that.
It would be safer if you had separate virtual servers for individual users.
I am trying to evaluate some technologies for implementing a communication process between some Ada modules with some C++/OpenGL modules. There is an (Windows XP) Ada application which communicates with a C++ application using COM, but I intend to switch the COM to a new technology. Some suggestions came up, such as direct Sockets, DSA, Polyorb, Corba and DSS/Opensplice.
DSA appears to be just Ada -implemented (not sure)
Polyorb has its last implementation on 2006, according to http://polyorb.ow2.org/
Corba someone argumented that it could be not simple enough to justify its complexity for implementing simple applications
DSS/Opensplice appears to be just C/C++ implemented, so an Ada binding should be done. It also looks to be not very simple to be implemented too.
Personally I like COM, but due to the migration, I'd rather take the sockets option due to its simplicity, and the interface architecture could be implemented very easily.
So, what you think? Could you please comment about these technologies or even suggest other more?
Thanks very much.
A big factor in your choice is the size and complexity of the system you're reengineering. Is it a broadly distributed system with lots of complex messages? Is it a relatively small system with a handful of mundane message exchanges?
For small systems I used to just roll-my-own socket-based comm modules. Now, though, I lean more towards ZeroMQ (brokerless) or STOMP (text-based). And there's some Ada support for these, zeromq-Ada and TOMI_4_Ada (supports both).
While these handle the distribution mechanics, you would still need to handle the serialization of the messages into transportable form.
CORBA/PolyORB and DDS solutions are rather heavyweight, but are complete solutions. If you don't fear IDL and managing brokers, they can do well for large-scale distributed systems. Yeah, there may need to be some Ada bindings built, but if you can get C headers or a C API to bind to, it's typically not too bad if you focus on just binding the functions and data structures you require. Rather than creating a comprehensive binding, liberally employ opaque and void pointers (void_ptr, opaque_structure_def_ptr) for structs and parameters whose internal contents you don't care about.
we intend to switch the COM to a new (suported) technology, since COM is not more supported by Microsoft
Whoever told you COM is no longer supported is totally clueless.
While COM has undergone many name changes (OLE, COM, OLE Automation, DCOM, COM+, ActiveX, WinRT) and extensions over the past decades, it is the single most important technology for MS platforms: past, present and future. The .NET runtime uses COM extensively. Much of the Win32 API is written in COM, and the portions that weren't, will be in Win8, since WinRT components are COM objects.
Also take a look at AMQP (RabbitMQ for server), there seems to be Ada library available for it http://www.gti-ia.upv.es/sma/tools/AdaBinding/index.php.
If you could find binding for Ada, Apache thrift might also be a lightweight option. Maybe you could even write your own binding, it should not be more difficult that rolling something of your own over the sockets.
If you do go sockets route, than I would suggest ZeroMQ as "supersockets".
One more option for your list should be to use Ada's distributed programming support, and write C/C++ wrappers to interface your C++ program into it.
I don't know that its the best option for your needs, but if your Ada compiler supports Annex E, it should be on the list.
Since this post, AdaCore published PolyORB on GitHub with regular updates :)
I'm not planning on doing this right now, as I don't have the experience in this area to even attempt it at the moment, but I'm curious about something.
If implementing an operating system from scratch, what would it take to build an application like VirtualBox? Not necessarily as user friendly with a nice GUI or anything, but something that is capable of launching other operating systems and allowing you to interact with them?
I've got an idea rolling around in my head about an operating system that uses virtualization for a few key things (probably ideas out there like this already), and I'm just curious what it would take to build it.
There is a version of VirtualBox that is open source. If you want to know what it would take, checking out their source would be a very good start. Also, check out Xen (open source as well).
I recently posted a question about Azure... is it really an OS? I understand the technical details, and I got a lot of fuzzy answers... I really want to know... what do you think is the difference between an OS and a Framework?
Just for reference, Azure will be built on top of Hyper-V servers and the virtual machines will be running vanilla Windows Server 2008. It will run services that creates a cloud on top of the many virtual machines which is called Azure. Windows is calling Azure an OS.
I am trying to understand how to define the difference between an OS and a framework.
Operating System: The infrastructure software component of a computer system
Framework: A re-usable design for a software system (or subsystem).
By these definitions it seems to me, that an operating system can be built using a framework, and a framework can be built to interact with an operating system.
Singularity is an example of an experimental OS that is built using managed code.
Framework is a very broad term, it can be used to describe many types of subsystems. It could even describe an operating system.
Operating System is more specific, it implies facilitation of interaction with a computers or group of computers hardware layer, through the use of human user interfaces. I think Azure fits this description.
It's up to marketing - I don't think the terms have a definite meaning any more.
Is a JVM a framework?
What if it's running on a raw uC or even an FPGA - is it an OS?
An OS is the thing that directly interfaces with the machine, be it virtual or real. It has to expose syscalls that handle input devices, output devices, sound, networking, and all the other things that we take for granted these days. It also often provides some kind of UI which uses these services to make it easy to use/useful for an end-user. It needs to have device drivers to work with video cards, sound cards, etc. (Once again, these can be virtualized).
A framework is... something built on top of the OS. It, too, exposes an API, but they are often not so low-level as the one the OS exposes.
frameworks provide api contracts that oses usually don't - meaning they sit atop the os, hide and manage the differences, and consequently give you that platform independence goodness that can broaden our target audience
A framework thought to be as a development environment,a helping platform for further developments and you can work additively to create some other application using components of framework, while OS is system software is an environment to operate a system.