Remote OS Command Injection (Time Based)

Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

OS command injection allows attackers to execute arbitrary operating system commands by inserting malicious input into parameters that are passed to system shell functions. Attackers exploit insufficient input validation by injecting shell metacharacters and command separators to append their own commands. Time-based detection identifies this vulnerability by injecting delay commands like sleep or ping and measuring response times, confirming command execution even when output is not directly visible. Successful exploitation grants attackers the same privileges as the web application, enabling data theft, system modification, or pivot points for further network compromise.

Use library calls and APIs rather than invoking external shell commands. If shell execution is unavoidable, use parameterized command execution functions that separate commands from arguments, such as execve() in C or ProcessBuilder in Java, instead of functions like system() that invoke a shell. Implement strict input validation using allow lists that only permit expected characters and values. Apply proper output encoding and escaping for any user input passed to commands, though parameterized APIs are strongly preferred. Run applications in sandboxed environments like chroot jails, AppArmor, or SELinux to limit damage from successful exploitation. Never pass user input directly to shell interpreters or command concatenation functions.