OS Command Injection
detect, understand, remediate
Command injection allows attackers to execute arbitrary operating system commands on the host server by injecting malicious input into application functions that pass data to system shells.
No credit card required. Free plan available forever.
What is command injection?
Command injection is a vulnerability that allows attackers to inject and execute arbitrary operating system commands through an application that passes user-supplied input to a system shell. When an application constructs shell commands using unsanitised user input, attackers can append or modify commands to achieve remote code execution (RCE) on the underlying server.
This vulnerability is particularly dangerous because it grants attackers the same privileges as the application process on the host operating system. A successful command injection attack can lead to full server compromise: reading sensitive files, installing backdoors, pivoting to internal networks, exfiltrating data, and establishing persistent access to the environment.
Command injection commonly occurs in applications that use system calls to interact with the operating system, for example when performing DNS lookups, file operations, image processing, or network diagnostics based on user input. Shell metacharacters such as semicolons, pipes, backticks, and ampersands allow attackers to chain additional commands onto the intended operation.
How it works
Input reaches system command
The application passes user-supplied input to a system shell function such as system(), exec(), popen(), or child_process without sanitisation.
Inject shell metacharacters
Attacker injects shell metacharacters such as semicolons (;), pipes (|), logical operators (&&), or backticks (`) to append additional commands.
OS executes injected command
The operating system interprets the injected metacharacters and executes the attacker's command alongside or instead of the intended operation.
Full server compromise
Attacker achieves remote code execution, reads sensitive files, establishes reverse shells, installs persistence mechanisms, or pivots to internal systems.
Common causes
Using system/exec with user input
Calling system(), exec(), popen(), or equivalent shell functions with input that originates from user requests without any filtering or validation.
Shell command concatenation
Building command strings by concatenating user input directly into the command rather than using parameterised or array-based command execution.
Insufficient input validation
Failing to validate or sanitise user input against shell metacharacters, or relying on incomplete deny-lists that can be bypassed with encoding tricks.
Unnecessary shell invocation
Using shell commands for operations that could be performed with language-native libraries, such as calling ping or nslookup instead of using DNS resolution APIs.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests for error-based command injection by injecting shell metacharacters and analysing response differences
- Time-based blind detection using sleep and timeout commands to identify injection points where output is not directly reflected
- Output-based detection that injects commands with predictable output (e.g. echo, id, whoami) and checks for their presence in the response
Manual testing
- Inject sleep commands (e.g. ; sleep 5) into input fields and observe whether the response is delayed by the expected duration
- Test with backticks, semicolons, pipe operators, and logical operators to identify which metacharacters are processed by the shell
- Use out-of-band techniques (DNS callbacks, HTTP requests to a controlled server) to confirm blind command injection
How to fix it
Avoid system commands entirely
Replace shell commands with language-native APIs and libraries. Use built-in DNS resolution, file operations, and image processing instead of calling OS utilities.
Never pass user input to a shell
If system commands are unavoidable, use parameterised execution (e.g. execFile with argument arrays) that bypasses shell interpretation entirely.
Use allow-list input validation
Validate all user input against a strict allow-list of permitted characters. For example, if expecting an IP address, only allow digits and dots.
Run with minimal OS privileges
Execute application processes with the least privileges required. Use dedicated service accounts that cannot access sensitive files or escalate privileges.
Use sandboxing and containerisation
Isolate application processes using containers, chroot jails, or AppArmor/SELinux profiles to limit the impact of successful command injection.
Compliance impact
Related vulnerabilities
Detect command injection automatically
SecPortal tests for error-based, time-based blind, and output-based OS command injection. Start scanning for free.
No credit card required. Free plan available forever.