2. What is it?
“OS Command injection” is a
vulnerability that allows arbitrary
commands to be executed on the
operating system of the application.
What causes it?
This vulnerability happens because
user controlled input (form
parameters, cookies, HTTP headers, …)
is being passed to the system shell
without any prior validation.
What could happen?
Injected commands will run with the
privileges of the vulnerable application.
User passwords or other sensitive data
could be displayed on the application
output. Files or database records could
be manipulated or deleted. Services
could be started/stopped.
How to prevent it?
Use framework specific API calls
instead of OS commands. If not
possible, validate all user
supplied data against a white-list
before passing it to the OS.
3. OS Command Injection
Understanding the security vulnerability
An application vulnerable to
command injection. A GET
parameter ‘fileToDelete’ is
passed to the system shell
without prior validation.
An attacker crafts a malicious
URL: he appends a shell
command to the parameter
value of a request.
All the web application
files are deleted. The
web application
becomes unavailable.
The application appends the
GET parameter to the command
string and the malicious
command is executed.
Application Server
file = request.getParameter(‘fileToDelete’);
execShellCommand(“rm ”+ file)
http://site.com/action/delete? fileToDelete=oldFile.txt; rm -rf /var/www
usr@server$ rm oldFile.txt; rm –rf /
http://site.com/action/delete? fileToDelete=aFile.txt
4. OS Command Injection
Realizing the impact
Commands executed as the application owner
could lead to repudiation issues.
All the files of your application could be
deleted, denying service and causing
reputation loss and financial damages.
Customer data could get exposed leading to
privacy issues, reputational and financial data.
5. OS Command Injection
Preventing the mistake
Use framework API functions instead of OS Commands.
Validate all user controlled input against a
white-list before passing it to the shell.
POST & GET parameter, cookies and other HTTP headers.
Apply principle of least privilege to the application