Command Injection

Command injection (also called OS command injection) occurs when an application passes unsafe user input to a system shell. The attacker can inject additional commands using shell metacharacters like semicolons, ampersands, pipes, or backticks, causing the server to run arbitrary system commands with the application's privileges.

This vulnerability commonly appears in applications that call system utilities for tasks like DNS lookups, file operations, image processing, or network diagnostics. Even seemingly benign features like a ping tool or file converter can become critical attack vectors if user input isn't properly sanitized.

Command injection typically leads to full server compromise, as attackers can read sensitive files, install backdoors, pivot to internal networks, or exfiltrate data. Unlike SQL injection which targets the database, command injection targets the operating system directly.

How APVISO tests for this: APVISO's scanner agent injects OS command payloads into all input parameters, testing for both in-band and blind command injection using time-based and out-of-band techniques. It adapts payloads based on detected operating system (Linux vs Windows).