This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OS Command Injection

Revision as of 15:29, 30 June 2006 by Esheridan (talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.


The following trivial code snippets are vulnerable to OS command injection on the Unix/Linux platform:

  • C:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
     char command[256];

     if(argc != 2) {
          printf("Error: Please enter a program to time!\n");
          return -1;

     memset(&command, 0, sizeof(command));

     strcat(command, "time ./");
     strcat(command, argv[1]);

     return 0;
  • If this were a suid binary, consider the case when an attacker enters the following: 'ls; cat /etc/shadow'. In the Unix environment, shell commands are separated by a semi-colon. We now can execute system commands at will!
  • Java:
import java.util.*;

public class Exec
     public static void main(String args[])
               Runtime rt = Runtime.getRuntime();
               Process proc = rt.exec("time ./" + args[0]);
          catch(Exception e)
  • The same situation applies to the Java program as it did to the C program. An attacker has the ability to execute arbitrary system level commands through your application.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Ideally, a developer should use existing API for their language. For example (Java): Rather than use Runtime.exec() to issue a 'mail' command, use the available Java API located at javax.mail.*

If no such available API exists, the developer should scrub all input for malicious characters. Implementing a positive security model would be most efficient. Typically, it is much easier to define the legal characters than the illegal characters.


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.