What is Command Injection?
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
Attacker pass the bad data to the system shell through forms, cookies, and HTTP headers. This allows the attackers to gain control over a web site and carry out any action or process that the underlying application accommodates.
They typically use an input mechanism like HTML code, cookies or form fields to inject this command into the application.
Vulnerabilities That Can Lead to Command Injection
Arbitrary Command Injection
Arbitrary command injection happens when a user can submit a malicious command into an application that has the ability to run any command on the underlying host. This kind of attack might enable the attacker to obtain private information.Arbitrary File Uploads
Whenever users are given the option to upload files with any file extension, command injection can happen if the files are kept in the site root.
Server-Side Template Injection(SSTI)
An attacker can inject a malicious payload into a template using native template syntax and then the template is run server-side. This is known as server-side template injection.Insecure Serialization
Improper deserialization can be leveraged to execute arbitrary commands. This is because the user-supplied serialised data is deserialized by the server-side code without being verified.XML external entity injection (XXE)
If an application uses an XML parser that hasn’t been configured properly to parse user XML input, this can lead to Denial of Service (DoS) attacks, Server-Side Request Forgery (SSRF), and breaches to vulnerable data
How you can detect command injection attacks
