Question 1

What is command injection?

Accepted Answer

Command injection (also called OS command injection or shell injection) is an attack where an attacker executes arbitrary operating system commands on the server through a vulnerable application. It occurs when user input is passed unsanitized into a system shell — for example via exec(), system(), or os.popen(). OWASP ranks it as one of the most dangerous web vulnerabilities.

Question 2

How do I prevent command injection?

Accepted Answer

Never pass user input directly into a shell. Use execFile or spawn (with shell: false) instead of exec — these pass arguments as arrays and bypass shell interpretation entirely. Validate input against an allowlist of permitted characters (e.g. alphanumeric, dots, and hyphens for hostnames). As defense-in-depth, run the application with least-privilege OS permissions and use a WAF to block common injection patterns.

Question 3

What is the difference between exec and execFile?

Accepted Answer

exec() runs the command string through a shell (/bin/sh), so shell metacharacters like ;, &&, |, and backticks are interpreted — making it vulnerable to injection. execFile() takes the command and its arguments as separate values and does not invoke a shell, so metacharacters in arguments are treated as literal text and cannot alter the command being run.

Question 4

Can command injection lead to full server compromise?

Accepted Answer

Yes. A successful command injection can give an attacker the ability to read and write arbitrary files, install malware, pivot to other systems on the network, and establish persistent access through reverse shells. If the application runs as root or with elevated privileges, the attacker effectively owns the entire server.

Command Injection

Challenges

Frequently Asked Questions