Command Injection
Description
Command injection vulnerabilities allow attackers to execute arbitrary operating system commands on the server by manipulating user-supplied input. This occurs when an application passes unsanitized user input directly to system shell commands or scripting language interpreters. Attackers can inject malicious commands using shell metacharacters (such as semicolons, pipes, or backticks) to break out of the intended command context and execute their own code with the privileges of the web server process.
Remediation
Implement the following security measures to prevent command injection attacks:
1. Avoid System Commands: Whenever possible, use native language functions instead of executing system commands. For example, use built-in file operations rather than calling shell commands.
2. Input Validation: Implement strict allowlist validation that only permits expected characters and patterns. Reject any input containing shell metacharacters such as: ; | & $ ` \ ! > < ( ) [ ] { } * ? ~
3. Use Parameterized APIs: When system commands are necessary, use parameterized APIs that separate commands from arguments:
// Vulnerable code:
system("ping -c 4 " . $_GET['host']);
// Secure alternative using escapeshellarg():
$host = escapeshellarg($_GET['host']);
system("ping -c 4 " . $host);
// Better: use native functions or libraries
// that don't invoke a shell4. Principle of Least Privilege: Run the web application with minimal necessary permissions to limit the impact of successful exploitation.
5. Security Controls: Implement additional layers such as Web Application Firewalls (WAF) and runtime application self-protection (RASP) to detect and block command injection attempts.