Command Injection



Description

Command injection is a vulnerability that allows an attacker to manipulate an application to execute arbitrary system commands on the server. This occurs when an application passes unsafe data, often user input, to a system shell.


Examples/Methods/Results

Simple Example

A vulnerable web application might take a path from a query parameter and use it to read a file. If an attacker uses a payload such as ; ls -la in the file parameter, they can make the application execute an additional command that lists all files in the current directory.The server then executes the cat command and the ls command and the attacker receives a list of all files in the current directory.

No image found

Checklist

Things to consider:

No image found

Further Readings

PortSwigger
OWASP