Command Injection
What is Command Injection?
Command InjectionAn attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
Command injection (OS command injection) occurs when an application builds a system command by concatenating untrusted input and hands the result to a shell. Metacharacters such as ;, &, |, $(), or backticks let the attacker chain additional commands that run with the privileges of the application process. Outcomes include arbitrary file reads and writes, lateral movement, reverse shells, and complete server takeover. Defences are avoiding the shell entirely by using language APIs that accept argument arrays, allow-listing of expected values, validation and escaping libraries, sandboxing, running services as least-privileged users, and egress filtering to limit damage if exploited.
● Examples
- 01
A ping utility that concatenates a hostname parameter, allowing 127.0.0.1; cat /etc/shadow to disclose password hashes.
- 02
An image-processing endpoint that shells out to ImageMagick and runs an attacker-supplied command via a crafted filename.
● Frequently asked questions
What is Command Injection?
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands. It belongs to the Attacks & Threats category of cybersecurity.
What does Command Injection mean?
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
How do you defend against Command Injection?
Defences for Command Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Command Injection?
Common alternative names include: OS command injection, Shell injection.