- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
With a command injection attack, the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell. In this attack, the attacker-supplied OS commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This attack differs from code injection, in that code injection allows attackers to add their own code that is then executed by the application. In code injection, the attacker extends the default functionality of the application without the necessity of executing system commands.
One high-profile Command Injection vulnerability has been ImageTragick, which exploited several weaknesses in ImagicMagick, a package commonly used by web services to process images.