OS Command Injection

OS Command Injection is an attack technique used for unauthorized execution of operating system commands. The goal of an OS Command Injection is the execution of arbitrary commands on the host operating system via a vulnerable application. OS Command Injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, and so on) to a system shell. In this attack, the attacker-supplied OS commands are usually executed with the privileges of the vulnerable application. OS Command Injection attacks are possible largely due to insufficient input validation. 

This attack differs from Code Injection, in that code injection allows attackers to add their own code that is then executed by the application. In code injection, the attacker extends the default functionality of the application without the necessity of executing system commands. 

Command injection attacks execute arbitrary commands on a host operating system using the privileges of vulnerable applications. The hacker introduces operating system commands via user- supplied data such as cookies or forms. These attacks are only possible because of inadequate input validation. Watch this webinar by Threat Research Center experts to learn best practices with real world examples how command injection works and how you can prevent them.