Command injection definition
Command injection is a cyber attack involving the execution of malicious commands in apps or computer systems. In a command injection attack, the hacker is able to make an application send user-supplied data (such as forms, cookies, or HTTP headers) to the system shell, where it is executed with the application’s privileges.
Command injection vulnerabilities occur when applications do not properly validate or sanitize user input. This allows attackers to execute commands that let them access sensitive information, manipulate data, or even take over the whole computer system.
Stopping command injection attacks
- Implement input validation. By employing proper input validation and filtering (for example, by limiting the types of characters that can be entered or checking user input for specific patterns), you can remove potentially malicious characters or commands before they’re sent for execution.
- Use parameterized queries. Parameterized queries separate the query logic from the data — in effect, this means that the database treats user input as data rather than as a command. Parameterized queries help prevent SQL injection attacks when executing database queries.
- Avoid shell commands. Command injection attacks often abuse shell commands, so use application programming interfaces (APIs) or libraries to interact with the underlying system.
- Adopt the “least privilege” approach. Restrict application access and permissions to only what is needed for their function. The “least privilege” approach limits the damage that an attacker can do by executing malicious code.
- Update regularly. Keep all software up to date with the latest security patches to mitigate against recently discovered vulnerabilities and exploits.