HawkScan Test Info for Remote OS Command Injection

Remote OS Command Injection


Plugin Id: 90020 | CWE: 78


When constructing OS command strings, use stringent whitelists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.


Most OS Command Injection problems stem from input from the user not being sanitized and or being passed directly to the operating system running the application. Interacting with the operating system is sometimes required, but should never pass user input as a command, parameter, output, etc.


An attacker can use OS command injection to retrieve information and files from the system. This information can be used to install additional software, and launch additional attacks against the application or other infrastructure.