This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Command Injection

Jump to: navigation, search

The examples 1 through 3 and 5 are kind of old and redundant.

I would advise rather

  • adding one more web application specific vulnerability and put them on the top
  • adding shellshock
  • for C-oldfart stuff I would at least replace ls -l by rm -rf /
  • I would restrict on ONE example in C. It's not very often nowadays that somebody has written a SUID/SGID wrapper. This is more a school example than of practical use.