Remote Command Execution

Attackers can use remote command execution to execute malicious code and take control of your system. Application Security protects your application by running algorithms that block potential remote command execution attacks on each request.

Configure the Remote Command Execution policy

  1. Go to Your Group > Policies > Remote Command Execution and ensure that it is enabled.
  2. Set the state to Report. This will trigger events without blocking the request, which allows you to run your application and see which expected behaviors trigger Remote Command Execution events.
  3. On the right of the page, select Configure Policy.
  4. You can choose to run the following algorithms to run on each request:
    • HTTP Params: Application Security will detect HTTP GET or POST parameters that results verbatim into a remote command execution in a code location executed during the request.
    • Exec Control: An algorithm that runs on each COMMAND EXECUTION within the group comparing against the exec controls rules you've created.
  5. Under Exec Controls are a list of rules written as regex. You can choose to allow or block each rule by selecting the blue toggle on the left of the window. The button will turn grey to indicate it has been turned off. You can also edit, delete, or reorganize the rules by selecting the grey buttons on the left of the window. If a command is determined to be safe, and part of the application normal usage, it can be trusted by selecting the plus button on the right of the window. For more information, see Add a new Remote Command Execution rule. Screenshot
  6. Select Save Changes and close the window.

    By default, all exec control commands run by the web server are blocked.

  7. Navigate to your application and use it in the various scenarios that it was designed to handle.

  8. On the Application Security dashboard, check the Events page for Remote Command Execution events. If one has been triggered, follow the steps in Manage Remote Command Execution events.
  9. Once you're happy with your policy configuration and events are no longer being triggered by expected behavior, go to Your Group > Policies > Remote Command Execution.
  10. On the right of Remote Command Execution, set the state to Mitigate. When a rule is triggered, the attempt will be blocked and a Remote Command Execution event will appear on the Dashboard.

Add a new Remote Command Execution rule

  1. Select Add new rule button on the right of the Remote Command Execution Configuration window.
  2. Under Enter a pattern to match, enter a regex pattern that matches your search pattern.
  3. Under Enter text to preview match, enter the search pattern you want protected. If the search pattern you entered above is the correct pattern and encompasses the search, the search will be highlighted in green under Results. If the file name is grey, correct your pattern.
  4. Select Submit to save the rule.

Screenshot

Delete a Remote Command Execution rule

  1. In the row containing the rule to delete, select the X icon.
    Screenshot
  2. Select Save Changes and close the window.

Remote Command Execution events

Remote Command Execution events are displayed on the Dashboard in Events or in your respective Groups's dashboard.

Every event includes the Request Details panel for general information about the event. For more information, see Manage Events.

Under Remote Command Execution Details, the following information is displayed:

  • Trigger: The rule that triggered the event. Either HTTP Params or Exec Control.
  • Exec Method: The underlying API which was used to run the command.
  • Command: The program or command which was ultimately executed, or going to be executed by the API.
  • Matched Rule: The Exec Control rule that was matched and triggered the event.

Under Triggered Policy Details, the following information is displayed:

  • The rule that triggered the event. Either HTTP Params or Exec Control.
  • Matched_rule: The Exec Control rule that was matched and triggered the event.
  • Suppression_rule: The rule that would prevent this event from triggering again.

Screenshot

Manage Remote Command Execution events

If Application Security is reporting Remote Command Execution events:

  • In the top right corner of the event details panel, select View Stack to see where in your code the attack was leveraged. Modify your code so a Remote Command Execution attack can't be leveraged in the future.
  • If the event was triggered by an expected behavior of your application and you'd prefer not to modify your code and allow the behavior, select Click to Manage Policy. In the Alert section, you can see what policy rule was triggered. If you'd like to allow this behavior on your application, add the rule and select Allow.

Screenshot