Command Injection (OS)

OS Command Injection is a vulnerability that allows an attacker to execute arbitrary operating system commands on the server running an application, typically by appending shell commands to user input.

Attack Simulation

Network Ping Tool

Enter IP Address to Ping

$ ping

Server Console Output

Waiting for input...

Interactive: The ping tool takes an IP address. Try appending `; cat /etc/passwd` to execute a second command after the ping finishes.

How it Happens

Unsafe ExecDevelopers sometimes use functions like `system()` or `exec()` to run OS commands (like `ping`) with user input directly concatenated.
SeparatorsIn Linux/Unix shells, characters like `;`, `|`, `&&` are used to chain commands. `ping 8.8.8.8; ls` runs ping, THEN runs ls.
Total ControlIf successful, this often gives the attacker the same privileges as the web server user, leading to data theft or full system takeover (RCE).

Prevention & Defense

Avoid OS CallsUse built-in language libraries instead of shell commands (e.g., use a native Ping library instead of calling `ping`).

Input ValidationAllow only specific characters (e.g., `^[0-9.]+$` for IPs) and reject all shell metacharacters like `;`, `|`, `&`, `$`.

Secure Code Challenge

PATCH_THE_VULNERABILITY

Vulnerable Code

# Vulnerable Python Code
import os
ip = request.form['ip']
# Concatenating input directly into a shell command
os.system("ping -c 1 " + ip)

Identify the security flaw above and select the correct patch to fix it.

Select the Secure Implementation