🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Command Injection

Command injection happens when untrusted input is used to construct system command without necessary escaping that is later evaluate and executed by the operating system. An adversary exploits this vulnerability to execute arbitrary commands.

Remediation

  • Where possible avoid using untrusted input in building system commands.
  • Use a safe library that perform contextual escaping of the data and separates code from the data.

Metadata

  • Severity: critical
  • Slug: command-injection

CWEs

  • 78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • 88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

OWASP

  • A03:2021: Injection
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.