Command Injection is a critical vulnerability that occurs when an application passes unsafe user-supplied data to a system shell or operating system command interpreter. This flaw allows an attacker to execute arbitrary system commands on the host operating system through the vulnerable application. The commands are executed with the same privileges as the running application, often resulting in full compromise of the affected system.

Command Injection attacks differ from Code Injection in that the attacker’s payload targets the operating system command line, not the application’s internal language interpreter. In this case, the injected input is treated as part of a shell command (e.g., /bin/sh, cmd.exe, powershell) and can chain multiple commands or alter command parameters.

Common vulnerable scenarios include:

• Applications invoking system utilities via APIs such as system(), exec(), Runtime.getRuntime().exec(), popen(), or Process.Start().
• Unsanitized input passed into shell commands for file handling, network utilities, or diagnostic functions.
• Use of input values to build command strings dynamically (e.g., ping, cat, grep, tar, or curl operations).
• Web frameworks, plugins, or scripts that rely on OS-level processes to perform tasks like compression, conversion, or network scanning.

Example of unsafe code:

// C# Example
var result = Process.Start("ping " + userInput);

If the user provides input like 127.0.0.1 && del C:\Windows\System32, it can lead to destructive command execution.

Typical impacts:

• Complete compromise of the underlying server operating system
• Unauthorized access to sensitive files or credentials
• Service disruption or data destruction
• Lateral movement across internal systems
• Persistent malware or shell installation

Root causes include:

• Direct concatenation of unvalidated input into command-line strings
• Lack of input validation and context-aware escaping
• Overuse of OS utilities instead of safe library functions
• Poor privilege management or sandboxing

To eliminate Command Injection vulnerabilities, applications should never trust user-supplied data for system command execution.

1. Avoid Shell Invocation
   The most effective mitigation is to avoid calling the system shell entirely. Use built-in library functions or APIs instead of invoking external processes.

2. Parameterization and Safe APIs
   When shell execution is unavoidable, pass arguments as separate parameters rather than string concatenation.

   // C# safe example (arguments passed separately)
   var proc = new Process();
   proc.StartInfo.FileName = "ping";
   proc.StartInfo.Arguments = userInput; // validate separately
   proc.Start();
   

3. Input Validation (Whitelisting)
   Validate inputs against a strict whitelist of acceptable patterns such as IP addresses, filenames, or numeric values. Disallow shell metacharacters like &, |, ;, $, <, >, and backticks.

4. Output Encoding and Escaping
   If user input must appear in a command, escape special characters according to OS-specific rules. Use this only as a secondary measure.

5. Principle of Least Privilege
   Run applications with the minimum required privileges to limit the impact of potential exploitation.

6. Disable Unnecessary Functionality
   Disable access to dangerous system utilities and interpreters. Use OS-level controls (AppArmor, SELinux) to restrict process execution.

7. Error Handling and Logging
   Avoid exposing command execution errors to users. Log command invocations securely for monitoring and auditing.

8. Input Normalization
   Normalize inputs before validation to eliminate hidden encodings (e.g., Unicode or escaped sequences).

9. Defense in Depth
   Use WAFs, IDS, and system monitoring tools to detect abnormal command execution behavior.

10. Testing and Review
    Conduct code reviews, static analysis, and penetration testing to identify injection flaws in development and production environments.

• OS Commanding
• Command Injection
• OS Command Injection
• OS Command Injection Defense Cheat Sheet
• CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H