Command Injection


Applications often execute external commands as a part of their functionality. If the attacker is able to manipulate the choice of external commands or their parameters, the attacker will be able to abuse this functionality to execute arbitrary commands. If an attacker is able to execute arbitrary commands, they are typically able to take over the application and possibly take over the entire system. All applications that use external applications are affected by command injection vulnerabilities. Web applications are particularly at risk, because they are exposed to the Internet.


Command injection allows an attacker to execute arbitrary commands. In a small minority of cases, there will be limits on the scope of the available commands due to unintended peculiarities of the application's inner workings, but most of the time an attacker can take full control of the application using this vulnerability. If the attacker is able to leverage additional vulnerabilities or the server is not configured properly, the attacker will be able to take full control of the system. A command injection vulnerability acts as a virtual backdoor for an attacker to use the application and the server for their purposes. Any data that is stored by or accessed by the application can also be compromised as a result of command injection.


To prevent command injection vulnerabilities, validate all input, use parameterized APIs to execute external commands if such APIs are available, and avoid using external commands if possible.

Application Check

To check for adequate protection against this vulnerability, ensure that all input is validated, parameterized APIs are used, and external commands are avoided.

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact for help.

!Have a comment about this article? Send our team an email.