2.7.1 Command Injection Attacks

Code injection is the exploitation of a bug or poorly written code. Attackers inject malicious code into a program so it is executed to cause harm or steal information.

Command injected into an application by input data can be used to compromise a system. As the input data is processed the commands are executed causing undesirable results. Command injection attacks are possible when there is a lack of input data validation. Operating systems are particularly vulnerable to these types of attacks as they often allow user input in a system level command.

Input Validation

Input validation uses lists that define the only data that should be considered valid when the client is inputting data. This is essential to prevent code injection attacks. For example, if digits are expected as input, the input validation list should indicate only the following: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9