What is OS Command Injection

An overview of what OS Command Injection is, how to detect, exploit and help prevent the web vulnerability.

What is OS Command Injection?

OS Command Injection occurs when input is passed from an application to the backend operating system (OS), the supplied input is then executed by the operating system as a OS command. The vulnerability is caused by the application lacking the correct controls, such as input validation or sanitisation to prevent dangerous input being accepted and rendered by the web application as an operating system command.

The Impact of OS Command Injection

If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.

How to Identify OS Command Injection

A vulnerable input parameter is the typical entry point for command injection, however other entry points such as HTTP headers, have also been found to be vulnerable.

A typical command injection example:


If vulnerable, and the application permitted the error to be returned in the response, a “command not found error” would be reflected.

The Different Types of OS Command Injection

Similar to SQL Injection there are different types or command injection vulnerabilties:

What is Error Based Command Injection

The injected command induces an error message which is returned in the response by the web application (reflected).

What is Blind Command Injection

The target application is vulnerable to command injection, however no error is rendered by the application in this case the attacker would perform a proof of concept using either time based, out-of-band or by redirecting output to a file location they could read such a web root. A typical example of this would be

echo test123 > /var/www/html/test.txt

the attacker would then browse to the web root to verify the command output within the test.txt time.

What is Time Based Command Injection

The injected command uses a timed based payload, such as

ping -c 10

the response from the web server is then timed to see if it roughly matches the injected payload delay time.

What is Out-of-Band (OOB) Command Injection

The injected OS command uses an Out-of-Band method of communication to perform a proof of concept, verifying that the injected OS command has been executed by the target operation system, as a command. For example a DNS lookup or a HTTP request to an attacker controlled server using nslookup



How to Prevent OS Command Injection

  • Avoid directly calling operating system commands directly from the web application
  • Use an API with the correct controls in place to prevent command injection

OS Command Injection FAQ

Are Code Injection and OS Command Injection the same Vulnerability?

No, code injection is the insertion of application code which is then executed by the web server as if it were application code, resulting in remote code execution. OS command injection is the insertion of user supplied input, which is then rendered by the target web servers operation system an OS command.

Does the OWASP Top 10 Include Command Injection?

Yes, the OWASP Top 10 includes command injection under injection attacks.

Does Command Injection Have Other Names?

Yes the vulnerability is also know as:

  • CMD Injection
  • OS CMD Injection
  • Shell injection

Learn about more web application security vulnerabilities in our Cyber Security Academy.

[Total: 0   Average: 0/5]