OS Commanding attacks compromise web applications by injecting Operating System commands through unsanitised input. The injected commands execute with the web server’s privileges — potentially giving the attacker access to the entire underlying OS and filesystem.

PHP Attack Example

http://example/directory.php?dir=%3Bcat%20/etc/passwd
# %3B = semicolon; shell reads: ls -la ; cat /etc/passwd
# Result: /etc/passwd contents returned to attacker

Perl Pipe Injection Example

http://example/cgi-bin/showInfo.pl?name=John&template=/bin/ls|
# Pipe character causes Perl's open() to execute /bin/ls

Prevention Techniques

• Restrict OS Command Permissions: Apply least-privilege so the web server user cannot execute system commands maliciously.
• Whitelist Allowed Characters: Input filter allowing only: !^[a-zA-Z/_-\.0-9]+$
• Filter OS Command Paths: Block known OS command directories in output: /^(etc|bin|sbin|tmp|var|opt|dev|kernel)$/
• Never pass unvalidated user input to shell execution functions (exec, system, popen).