Skip to content

Command Injection

Command Injection

Description

Command injection is a security breach that allows unauthorized execution of commands within a server's operating system. It occurs when an application inadvertently transfers unverified user inputs (from forms, cookies, HTTP headers, etc.) directly to the system shell. This enables attackers to execute their own commands, typically with the same permissions as the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

Examples

Java

String userInput = request.getParameter("input");
Runtime.getRuntime().exec("ls " + userInput);

Javascript

const userInput = req.body.input;
const exec = require('child_process').exec;
exec('ls ' + userInput, (error, stdout, stderr) => {
  console.log(stdout);
});

Php

$userInput = $_GET['input'];
system('ls ' . $userInput);

Recommendation

To mitigate the command injection vulnerability, here are some recommendations:

  • Avoid Executing User-Supplied Input: Refrain from executing user-supplied data directly within commands or system shells. Validate and use whitelists or predefined options wherever possible.

  • Avoid Concatenation: Avoid directly concatenating user input into system commands, instead pass it in a separate list of arguments.

  • Input Validation and Sanitization: Always validate and sanitize user inputs. Ensure that any user-supplied data passed to the system shell or command execution functions is sanitized and restricted to expected characters or patterns.

  • Least Privilege Principle: Run your application or services with the least possible privileges required to perform necessary actions. Avoid running services with superuser or administrator privileges.

Examples

Java

Scanner scanner = new Scanner(System.in);

System.out.print("Enter the file name: ");
String userInput = scanner.nextLine(); // Takes user input

// Sanitize user input to prevent command injection
String sanitizedInput = userInput.replaceAll("[^A-Za-z0-9]", ""); // Example sanitization

// Command execution
ProcessBuilder processBuilder = new ProcessBuilder("ls", "-l", sanitizedInput);

// Redirect error stream to output
processBuilder.redirectErrorStream(true);

Process process = processBuilder.start();

Php

<?php
// User-supplied filename
$userInput = $_POST['filename']; // Example: 'file.txt'

// Validate and sanitize user input
if (preg_match('/^[a-zA-Z0-9_\.]+$/', $userInput)) { // Validate against alphanumeric and dot
    // Safely escape the user input to prevent command injection
    $escapedInput = escapeshellarg($userInput);

    // Command execution using the sanitized input
    $command = "ls -l " . $escapedInput;
    $output = shell_exec($command);

    echo "<pre>$output</pre>";
} else {
    echo "Invalid filename input!";
}
?>

Standards

  • CWE_TOP_25:
    • CWE_20
    • CWE_78
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_3_4
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5