🔐 Cybersecurity / Web Security Intermediate

What is command injection?

Answer

Command injection occurs when an application passes unsafe user-supplied data to a system shell (OS command). Example: exec("ping " + userInput) — attacker enters 8.8.8.8; cat /etc/passwd, resulting in the passwd file being read. The shell interprets ; as a command separator. Variations: &&, ||, backticks, | (pipe), $(...). Prevention: (1) Avoid OS command calls — use language-native library functions instead (e.g., use a DNS library instead of calling nslookup). (2) If unavoidable, use APIs that separate the command from arguments (no shell interpretation): subprocess.run(['ping', user_input]) in Python (list form, not string). (3) Input validation: whitelist allowed characters. (4) Apply least privilege to the process executing commands. (5) Run in a sandboxed environment. Command injection can lead to full server compromise.

Previous

What is an open redirect vulnerability?

Next

What is LDAP injection?

More Cybersecurity / Web Security Questions

View all →
All Cybersecurity / Web Security Questions Browse All Topics