Remote OS Command Injection

OS Command Injection is an attack technique that allows unauthorized execution of arbitrary operating system commands on the host server through a vulnerable application. It occurs when an application incorporates user-supplied data, such as form fields, cookies, or HTTP headers, into system shell commands without proper validation or sanitization. When exploited, the injected commands are typically executed with the same privileges as the vulnerable application, giving attackers direct access to the underlying operating system.

A successful OS Command Injection attack can have severe consequences, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, and full compromise of the underlying server. Attackers can chain injected commands using shell metacharacters such as semicolons, pipes, or backticks to escalate privileges, pivot to other systems on the network, or establish persistent remote access. Because the commands run at the application privilege level, a high-privilege service can grant an attacker complete control over the host.

Whenever possible, avoid invoking operating system commands directly from application code. Use language-native libraries or APIs to achieve the desired functionality instead of shelling out to external processes. For example, in Java use javax.mail rather than calling the system mail command via Runtime.exec().

If executing OS commands is unavoidable, never construct command strings by concatenating user input. Use parameterized APIs that accept arguments as separate array elements, such as ProcessBuilder in Java or execve() in C, which enforce a clear separation between the command and its arguments and prevent shell interpretation of special characters.

Apply strict input validation using an allow-list approach that only accepts values conforming to expected formats, such as alphanumeric characters or a defined set of safe tokens. Reject or sanitize any input containing shell metacharacters like ;, |, &, $, backticks, or newlines.

Run the application with the least privileges necessary and use OS-level sandboxing mechanisms such as chroot jails, containers, AppArmor, or SELinux to limit the scope of damage if command injection does occur.