Quiz Entry - updated: 2026.07.05
What is OS command injection and how does it occur?
User input is dropped into a shell command, so shell metacharacters (;, |, &) let the attacker tack on extra commands the app never meant to run.
OS command injection happens when applications build and execute system commands that include user input.
Vulnerable PHP code:
$file = $_GET['filename'];
system("rm $file");
Attack: Set filename to goodParam; bad.exe;
Executed command:
rm goodParam; bad.exe;
This deletes the file AND executes bad.exe.
Prevention:
- Avoid system calls with user input entirely
- Use allowlists for permitted commands/parameters
- Escape shell metacharacters (
;,|,&,$,`) - Use language APIs instead of shell commands (e.g.,
unlink()instead ofsystem("rm ..."))
Go deeper:
PortSwigger — OS command injection — metacharacters, blind detection, prevention, with labs.