📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Command injection
  • Example
  • Prevent command injection
  • Source attribution

Was this helpful?

  1. Injection attacks

Command Injection

Command injection

Command injection (or OS Command Injection) is a type of injection where the application that constructs a system command using user supplied input does not correctly sanitize this input.

Example

Imagine you have the following code running in your back-end PHP server:

<?php
//get the value of the ‘filename’ querystring
$file=$_GET['filename’];
//remove the file
system("rm $file");
?>

A client accessing this application via the url https://www.example.org/delete.php?filename=test.txt will effectively delete the file test.txt. This may be legitimate use case. However, PHP uses a system command for the delete instruction by passing it unsanitized user input. An attacker accessing the url https://www.example.org/delete.php?filename=test.txt;reboot will be able to reboot the server, since the resulting OS command will be rm test.txt;reboot.

Prevent command injection

Defense measures highly depend on the framework (such as PHP) and the Operation System used. In general, the following precautions should be taken:

  • Never call OS commands directly (in the example: avoid using system("<cmd>")). Instead, use built-in functions that are available by the framework that is used (in the example: use PHP's unlink function).

  • Sanitize input (in the example: remove ;)

Source attribution

PreviousSQL InjectionNextCross-site scripting

Last updated 3 years ago

Was this helpful?

Some parts of this page are based on the , which is licensed under .

OS Command Injection Defense Cheat Sheet
FLOSS