IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. OS Command Injection
InjectionCritical

OS Command Injection

Also known as: Command Injection · Shell Injection · RCE

OS Command Injection occurs when an application builds a system command using untrusted input and executes it via a shell. The attacker injects shell metacharacters to run additional commands with the privileges of the application, frequently achieving full remote code execution on the host.

CWE
CWE-78
OWASP
A03:2021
CAPEC
CAPEC-88
MITRE ATT&CK
T1190

How it works

  1. 1The application invokes a shell command incorporating user input.
  2. 2Shell metacharacters (; | & $() ``) in the input are not neutralized.
  3. 3The shell interprets the injected operators as additional commands.
  4. 4The attacker executes arbitrary commands, often pivoting to a reverse shell.

Example

Vulnerable:  exec("ping -c1 " + host)

Attacker host:  8.8.8.8; id
Executed:       ping -c1 8.8.8.8; id
Metacharacters injecting a second command.

Impact

Command injection typically yields remote code execution, giving the attacker control of the host and a foothold for lateral movement.

Remediation

  • Avoid shells entirely; call programs directly with argument arrays, never a command string.
  • If a shell is unavoidable, strictly allowlist inputs and escape per the platform.
  • Run services with least privilege and network egress controls.

Detection & testing

Inject benign command separators with time-based or out-of-band payloads to detect execution. Confirm safely without destructive commands.

Impactr tests for OS Command Injection the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for Command Injection

Tools

ImpactrBurp Suitecommixinteractsh

Frequently asked questions

What is the difference between command injection and code injection?

Command injection runs OS/shell commands via a system call. Code injection (e.g. SSTI, eval) executes code inside the application's runtime. Both can lead to RCE but through different sinks.

Related concepts

Server-Side Template Injection (SSTI)SQL Injection (SQLi)Insecure Deserialization
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub