Command injection (also called OS command injection) is a vulnerability that occurs when an application passes unsafe user input to a system shell for execution. If the application does not properly validate or sanitize the input, an attacker can inject additional commands that the server executes with the same privileges as the application, potentially leading to full system compromise.
How It Works
Applications sometimes need to execute operating system commands, such as converting a file format, pinging a host, or processing an uploaded document. When user-supplied data is incorporated into these commands without proper sanitization, an attacker can terminate the intended command and append their own.
For example, an application that lets users ping a host might construct the command ping -c 1 [user_input]. An attacker providing 8.8.8.8; cat /etc/passwd as input causes the server to execute both the ping command and the unauthorized file read. Command separators like ;, &&, ||, |, and newline characters can be used to chain additional commands. Backticks and $() syntax enable command substitution, where the output of an injected command is used within the original command.
Blind command injection occurs when the output of the injected command is not returned to the attacker in the application's response. In these cases, attackers confirm exploitation through out-of-band techniques such as triggering DNS lookups to attacker-controlled domains, writing files to publicly accessible directories, or introducing time delays using the sleep command.
The most effective defense is avoiding OS command execution entirely, using language-native libraries instead. When system commands are unavoidable, parameterized command execution (passing arguments as an array rather than a concatenated string) prevents injection. Input validation with strict allowlists provides an additional defense layer.
Why It Matters
Command injection is among the most severe vulnerabilities because it grants the attacker direct access to the underlying server. A successful command injection can lead to data theft, backdoor installation, lateral movement, or complete infrastructure compromise. Security assessments specifically probe any functionality that might interact with the operating system.
Need your application tested? Get in touch.