Command Injection

Web Security 🕸️ • Vulnerabilities 🚨 • Secure Development ⚙️ • Sec+ Glossary 📖 • Security+ 02 • Difficulty: premium

What is Command Injection?

Command injection is a vulnerability in which untrusted input is passed to a system shell or command interpreter in an unsafe way, allowing an attacker to execute unintended operating system commands.

Examples

A web application passes user input into a server-side system command, and an attacker manipulates that input so extra commands run on the host.
An administrative tool meant to test network connectivity accepts a hostname parameter unsafely, allowing the attacker to alter the underlying shell command.

Discover 🔎

Applications often interact with the operating system behind the scenes. They may call utilities to process files, run diagnostics, convert formats, test connectivity, or automate administrative tasks. That is not automatically dangerous. The danger appears when user input is mixed into those commands carelessly.

Command injection matters because it can turn a simple application input into direct operating system control. At that point, the attacker is no longer just influencing the application’s own logic. They may be influencing the host itself.

Remember: Command injection happens when user input crosses the boundary from application data into operating system command logic.

Summary 📝

Command injection is a vulnerability caused by unsafe use of untrusted input in operating system command execution. It allows an attacker to influence or extend the command that the host system receives, potentially leading to file access, data manipulation, network abuse, or broader server compromise. The strongest defenses are to avoid shell execution where possible, separate command arguments safely, restrict privileges, and design applications so user input never becomes shell control logic.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.