Remote OS Command Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 OWASP PC-C5 CAPEC-88 CWE-78 HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-31 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H WSTG-INPV-11

Code injection attack is an injection attack through which an attacker can execute any malicious commands on the host operating system via the application. This attack is possible because the application passes unsafe user-supplied data to the system shell. The attacks can be done via forms, cookies, HTTP headers etc. In this attack, the operating system commands sent by the attacker is executed with the execution privileges of the vulnerable application. This type of attacks is largely due to insufficient input validation.

There are servers that pass unsafe user-supplied data to the system shell. The attacker can supply operating system commands and can execute with the privileges of the server application. The attacker uses code injection to extend the functionality of the application via his malicious code.


The impact include:-

  • Executing commands on the underlying operating system.
  • injection attack
  • Data loss

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Using an existing API for the language.
  • Implement a positive security model.

Related Articles