OS Command Injection Cheat Sheet, Attack Examples & Protection

An Operating System (OS) command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable web application. Applications are considered vulnerable to the OS command injections if they can be manipulated into executing unauthorized system commands via the web interface.

What is OS Command injection?
These high-impact attacks basically involve the injecting of malicious commands into valid commands. Meta-characters (&, |, //;) are usually used to merge commands and create malicious OS Command Injections.

Just like SQL injections, OS Command injections can be either blind or error-based, with error-based ones being more severe due to their transparent and obvious nature.

OS Command injection examples
This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.

use CGI qw(:standard);
$name = param('name');
$nslookup = "/path/to/nslookup";
print header;

if (open($fh, "$nslookup $name|")) {
  while (<$fh>) {
    print escapeHTML($_);
    print "<br>\n";

Suppose an attacker provides a domain name like this: cwe.mitre.org%20%3B%20/bin/ls%20-l

The %3B sequence decodes to the “;” character, and the %20 decodes to a space. The open() statement would then process a string like this: /path/to/nslookup cwe.mitre.org ; /bin/ls -l

As a result, the attacker executes the “/bin/ls -l” command and gets a list of all the files in the program’s working directory. To make matters worse, a more dangerous payload can be crafted to perform more severe malicious actions.
This code didn’t validate or sanitize the user input before using it in the execute command. Hence the attacker was able to run the desired command on the server.

How to prevent OS Command Injection attacks?
Ideally, a developer should use existing APIs for their relevant programming languages.

For example, while programming with Java, the developer should use the available Java API located at javax.mail.*. If no such available API exists, the developer should validate the input using Regex or a whitelist of accepted values. This is much better than using Runtime.exec() (see code below) to issue a ‘mail’ command.

Class Win32 extends OS {
    public void email (String subject, String body) throws Exception {
        String cmd = "cmd.exe /c start \"\"\"" + formatMailto(subject, body) + "\"";

When it’s not technically possible to remove the command execution, the best way to stay protected is to execute only static strings that do not include user input.