This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Command Injection Defense Cheat Sheet

Revision as of 18:13, 13 November 2017 by Jmanico (talk | contribs) (removed work in progress)

Jump to: navigation, search

Last revision (08/09/16): 11/13/2017


This cheat sheet provides some best practice for developers to follow to avoid the risk of Command Injection


1) What is Command Injection?

2) Defense against unintentional OS interaction

2a) LFI Local File Inclusion

2b) RFI Remote File Inclusion

2c) Code Level injection

  • ENV variables
  • code creation

3) Safe design for features where OS interaction is intentional

3a) Like safely calling ImageMagik to do image manipulation, etc

3b) TBD codegen example?

3c) TBD example

4) Summary

TBD takeaway language agnostic approaches list TBD takeway language specific approaches list



Authors and Primary Editors

Jim Manico - jim[at]

Scott Davis - scott_davis[at]

Other Cheatsheets