So I decided to also slap together a .NET version of the Java command injection testing thing I posted yesterday in response to Alex Smolen’s blog post on .NET and Java command injection. It is up online here:
.NET looks to be similarly resistant to command injection.
Also, “Jordan” posted a comment to the previous post:
I suppose you could do it that way. If you wanted the easy way to find out what was actually going on. But then you wouldn’t get to write any crudimentary Java code – and what fun would that be? That’s actually a great idea.
Does that mean that you don’t need to validate input that is being sent to command interpreters on Java and .NET? No. Failing to do this can still give attackers control over command line arguments and filenames. Plus there may be other ways to break out of this that my 60 lines of Java or C# test code and 15 test cases didn’t find. (What a surprise that would be!) Sleep a little better at night. But not too well.
dan _at_ denimgroup.com