Prerequisites
The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed.
Mitigations
All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary.
Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.
Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
References
REF-615
OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2017-01-09 +00:00 |
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description, Description Summary, Solutions_and_Mitigations |
CAPEC Content Team |
The MITRE Corporation |
2017-05-01 +00:00 |
Updated Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity |
CAPEC Content Team |
The MITRE Corporation |
2020-07-30 +00:00 |
Updated Mitigations |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
Updated References, Taxonomy_Mappings |