OS Commanding attacks compromise web applications by injecting Operating System commands through unsanitised input. The injected commands execute with the web server’s privileges — potentially giving the attacker access to the entire underlying OS and filesystem.
PHP Attack Example
http://example/directory.php?dir=%3Bcat%20/etc/passwd# %3B = semicolon; shell reads: ls -la ; cat /etc/passwd# Result: /etc/passwd contents returned to attacker
Perl Pipe Injection Example
http://example/cgi-bin/showInfo.pl?name=John&template=/bin/ls|# Pipe character causes Perl's open() to execute /bin/ls
Prevention Techniques
- Restrict OS Command Permissions: Apply least-privilege so the web server user cannot execute system commands maliciously.
- Whitelist Allowed Characters: Input filter allowing only:
!^[a-zA-Z/_-\.0-9]+$ - Filter OS Command Paths: Block known OS command directories in output:
/^(etc|bin|sbin|tmp|var|opt|dev|kernel)$/ - Never pass unvalidated user input to shell execution functions (exec, system, popen).
CISSP Made Easy 