This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - OS Commanding

Jump to: navigation, search

Return to Periodic Table Working View

OS Commanding

Root Cause Summary

OS-level calls are constructed using dynamic data, allowing an attacker to append additional function calls or manipulate parameters of the original call.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution


Custom Framework Solution

Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.

Custom Code Solution


Discussion / Controversy

Many common system calls already have safe wrappers in generic application frameworks. Thus, most unsafe calls are likely to be made in the attempt to access application-specific batch processes or system features, and so must have a custom framework wrapper to ensure that the intended syntax is generated safely.


Command Injection
OS Commanding (WASC)
OS Command Injection (CWE)