Command Injection

Command injection happens when untrusted input is used to construct system command without necessary escaping that is later evaluate and executed by the operating system. An adversary exploits this vulnerability to execute arbitrary commands.

Remediation

Where possible avoid using untrusted input in building system commands.
Use a safe library that perform contextual escaping of the data and separates code from the data.

Metadata

Severity: critical
Slug: command-injection

CWEs

78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

OWASP

A03:2021: Injection

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

C Labs

C 1 lab

Explore 1 lab in C.

2 Labs

Cpp Labs

Cpp 2 labs

Explore 2 labs in Cpp.

2 Labs

Csharp Labs

Csharp 2 labs

Explore 2 labs in Csharp.

1 Lab

Github Labs

Github 1 lab

Explore 1 lab in Github.

2 Labs

Go Labs

Go 2 labs

Explore 2 labs in Go.

2 Labs

Java Labs

Java 2 labs

Explore 2 labs in Java.

2 Labs

Javascript Labs

Javascript 2 labs

Explore 2 labs in Javascript.

2 Labs

Python Labs

Python 2 labs

Explore 2 labs in Python.

2 Labs

Ruby Labs

Ruby 2 labs

Explore 2 labs in Ruby.

2 Labs

Typescript Labs

Typescript 2 labs

Explore 2 labs in Typescript.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.