Form input escaping

Universal Dashboard
1

Is this even a thing in powershell?

do I need to makre sure that the input is safe before I use it forward ?
like input to native commands ? or as parameter to SQL ?`
Do we have something in powershell or .net to make sure we handle this?

2

I think it kind of depends how you are using that data. If you are passing it to SQL, you’ll definitely need to do some sanitization to avoid injection. If you are passing it to the command line, I could see a similar issue. You probably wouldn’t want to just allow bare strings to be passed to command line utils as users could end up injecting additional commands into that command line.

I’d also be careful using Invoke-Expression at all as users could then potentially run whatever PS command they want.

What is your form doing? I’d be curious as this is an issue that isn’t brought up much but is important. It might be good to put together some official guidance around this.

3

this particular is sending commands to a RCON server.
(broadcast messages)
but I use a native rcon command to send them off.

4

Mirroring Adams sentiments, its going to depend on the systems involved and how you’re intending to do it, I dont really know anything about rcon servers (minecraft?) so I’m not sure security wise how easy/difficult it would be to break out from the context of those commands and elevate.
Definitely agree, don’t allow any native command to be passed through from web ui to execution as they can and will be a security hole.
For SQL, I use invoke-sqlcmd2 as it has -SqlParameters which allows you to setup parameterized queries.

5

yeah, but how ? :slight_smile:
would it be enought to do a -replace “AllDangerChar”,’’ ?
and what would that be? :smiley:

6

I don’t know if you’ll necessarily need to escape anything. Anything you pass to your RCON command line tool is just going to be treated like a string.

PS C:\Users\adamr> $test = ';Write-Host "hey"'
PS C:\Users\adamr> ping localhost $test
Bad parameter ;Write-Host hey.

So it depends what the RCON command accepts. If you can use it maliciously, then you will want to check the input or restrict it to a set of options.

I think the most dangerous thing would be doing something like this.

Invoke-Expression "rcon $parameter"
7

The PowerShell Team did a talk at Defcon about this: https://devblogs.microsoft.com/powershell/powershell-injection-hunter-security-auditing-for-powershell-scripts/

Seems like they made a tool to help detect it as well: https://www.powershellgallery.com/packages/InjectionHunter/1.0.0

1 Like