

This content represents the latest contributions to the Web Security Testing Guide, and
#Store Donate
may frequently change. # StoreJoin
PROJECTS CHAPTERS
EVENTS ABOUT "
Watch
Donate
351 Star
Join
7,584

WSTG - Latest The OWASP® Foundation

works to improve the security
of software through its
Home > Latest > 4-Web Application Security
community-led open source
Testing > 07-Input Validation Testing
software projects, hundreds
Testing for Command of chapters worldwide, tens of
thousands of members, and
Injection by hosting local and global
conferences.
ID

WSTG-INPV-12
WSTG Contents
0. Foreword by Eoin Keary
1. Frontispiece
Summary 2. Introduction
This article describes how to test an 2.1 The OWASP Testing Project
application for OS command injection. 2.2 Principles of Testing
The tester will try to inject an OS 2.3 Testing Techniques
Explained
command through an HTTP request to
2.4 Manual Inspections and
the application.
Reviews
OS command injection is a technique 2.5 Threat Modeling
used via a web interface in order to 2.6 Source Code Review
execute OS commands on a web 2.7 Penetration Testing
2.8 The Need for a Balanced

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 1 of 11
:
a
server. The user supplies operating Approach
system commands through a web 2.9 Deriving Security Test
interface in order to execute OS Requirements
2.10 Security Tests Integrated in
commands. Any web interface that is
Development and Testing
not properly sanitized is subject to this
Workflows
exploit. With the ability to execute OS 2.11 Security Test Data Analysis
commands, the user can upload and Reporting
malicious programs or even obtain 3. The OWASP Testing
passwords. OS command injection is Framework
preventable when security is 3.1 The Web Security Testing
emphasized during the design and Framework
3.2 Phase 1 Before
development of applications.
Development Begins
3.3 Phase 2 During Definition
Test Objectives and Design
3.4 Phase 3 During
Identify and assess the command
Development
injection points.
3.5 Phase 4 During Deployment
3.6 Phase 5 During
How to Test Maintenance and Operations
When viewing a file in a web 3.7 A Typical SDLC Testing
Workflow
application, the filename is often shown
3.8 Penetration Testing
in the URL. Perl allows piping data from
Methodologies
a process into an open statement. The 4. Web Application Security
user can simply append the Pipe Testing
symbol | onto the end of the filename. 4.0 Introduction and Objectives
4.1 Information Gathering
Example URL before alteration:
4.1.1 Conduct Search Engine
https://sensitive/cgi- Discovery Reconnaissance for
bin/userData.pl?doc=user1.txt Information Leakage
4.1.2 Fingerprint Web Server
Example URL modified:
4.1.3 Review Webserver
https://sensitive/cgi- Metafiles for Information
bin/userData.pl?doc=/bin/ls| Leakage

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 2 of 11
:
a
This will execute the command 4.1.4 Enumerate Applications on
/bin/ls. Webserver
4.1.5 Review Web Page Content
Appending a semicolon to the end of a for Information Leakage
URL for a .PHP page followed by an 4.1.6 Identify Application Entry
operating system command, will Points
execute the command. %3B is URL 4.1.7 Map Execution Paths
encoded and decodes to semicolon Through Application
4.1.8 Fingerprint Web
Example: Application Framework
https://sensitive/something.p 4.1.9 Fingerprint Web
hp?dir=%3Bcat%20/etc/passwd Application
4.1.10 Map Application
Example Architecture
Consider the case of an application that 4.2 Configuration and
Deployment Management
contains a set of documents that you
Testing
can browse from the Internet. If you fire
4.2.1 Test Network Infrastructure
up a personal proxy (such as ZAP or Configuration
Burp Suite), you can obtain a POST 4.2.2 Test Application Platform
HTTP like the following Configuration
(https://www.example.com/publ 4.2.3 Test File Extensions
ic/doc): Handling for Sensitive
Information
4.2.4 Review Old Backup and
POST /public/doc HTTP/1.1
Unreferenced Files for Sensitive
Host: www.example.com
[...] Information
Referer: 4.2.5 Enumerate Infrastructure
https://127.0.0.1/WebGoat/attac and Application Admin
k?Screen=20 Interfaces
Cookie: 4.2.6 Test HTTP Methods
JSESSIONID=295500AD2AAEEBEDC9DB 4.2.7 Test HTTP Strict Transport
86E34F24A0A5 Security
Authorization: Basic 4.2.8 Test RIA Cross Domain
T2Vbc1Q9Z3V2Tc3e=
Policy
Content-Type: application/x-
4.2.9 Test File Permission
www-form-urlencoded

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 3 of 11
:
a
 Content-length: 33 4.2.10 Test for Subdomain
Takeover
Doc=Doc1.pdf 4.2.11 Test Cloud Storage
4.2.12 Test for Content Security
In this post request, we notice how the Policy
application retrieves the public 4.2.13 Test for Path Confusion
4.3 Identity Management Testing
documentation. Now we can test if it is
4.3.1 Test Role Definitions
possible to add an operating system
4.3.2 Test User Registration
command to inject in the POST HTTP.
Process
Try the following 4.3.3 Test Account Provisioning
(https://www.example.com/publ Process
ic/doc): 4.3.4 Testing for Account
Enumeration and Guessable
POST /public/doc HTTP/1.1 User Account
Host: www.example.com 4.3.5 Testing for Weak or
[...] Unenforced Username Policy
Referer: 4.4 Authentication Testing
https://127.0.0.1/WebGoat/attac 4.4.1 Testing for Credentials
k?Screen=20 Transported over an Encrypted
Cookie: Channel
JSESSIONID=295500AD2AAEEBEDC9DB 4.4.2 Testing for Default
86E34F24A0A5
Credentials
Authorization: Basic
4.4.3 Testing for Weak Lock Out
T2Vbc1Q9Z3V2Tc3e=
Mechanism
Content-Type: application/x-
www-form-urlencoded 4.4.4 Testing for Bypassing
Content-length: 33 Authentication Schema
4.4.5 Testing for Vulnerable
Doc=Doc1.pdf+|+Dir c:\ Remember Password
4.4.6 Testing for Browser Cache
Weaknesses
If the application doesn’t validate the
4.4.7 Testing for Weak
request, we can obtain the following
Authentication Methods
result:
4.4.8 Testing for Weak Security
Question Answer
Exec Results for 'cmd.exe 4.4.9 Testing for Weak

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 4 of 11
:
a
 /c type Password Change or Reset
"C:\httpd\public\doc\"Doc=Doc1. Functionalities
pdf+|+Dir c:\' 4.4.10 Testing for Weaker
Output...
Authentication in Alternative
Il volume nell'unità C non
Channel
ha etichetta.
4.4.11 Testing Multi-Factor
Numero di serie Del volume:
8E3F-4B61
Authentication
Directory of c:\ 4.5 Authorization Testing
18/10/2006 00:27 2,675 4.5.1 Testing Directory Traversal
Dir_Prog.txt File Include
18/10/2006 00:28 3,887 4.5.2 Testing for Bypassing
Dir_ProgFile.txt Authorization Schema
16/11/2006 10:43 4.5.3 Testing for Privilege
Doc Escalation
11/11/2006 17:25
4.5.4 Testing for Insecure Direct
Documents and
Object References
Settings
4.5.5 Testing for OAuth
25/10/2006 03:11
I386
Weaknesses
14/11/2006 18:51 4.5.5.1 Testing for OAuth
h4ck3r Authorization Server
30/09/2005 21:40 Weaknesses
25,934 4.5.5.2 Testing for OAuth Client
OWASP1.JPG Weaknesses
03/11/2006 18:29 4.6 Session Management
Prog Testing
18/11/2006
4.6.1 Testing for Session
11:20
Management Schema
Program
4.6.2 Testing for Cookies
Files
16/11/2006
Attributes
21:12 4.6.3 Testing for Session
Fixation
Software 4.6.4 Testing for Exposed
Session Variables
24/10/2006 18:25 4.6.5 Testing for Cross Site
Request Forgery
Setup 4.6.6 Testing for Logout

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 5 of 11
:
a
 24/10/2006 23:37 Functionality
4.6.7 Testing Session Timeout
Technologies 4.6.8 Testing for Session
Puzzling
18/11/2006 11:14
4.6.9 Testing for Session
Hijacking
3 File 32,496 byte
4.6.10 Testing JSON Web
13 Directory 6,921,269,248 byte Tokens
disponibili 4.6.11 Testing for Concurrent
Sessions
Return code: 0 4.7 Input Validation Testing
4.7.1 Testing for Reflected Cross
Site Scripting
In this case, we have successfully
4.7.2 Testing for Stored Cross
performed an OS injection attack.
Site Scripting
4.7.3 Testing for HTTP Verb
Special Characters for Tampering
Command Injection 4.7.4 Testing for HTTP
Parameter Pollution
The following special character can be 4.7.5 Testing for SQL Injection
used for command injection such as | ; 4.7.5.1 Testing for Oracle
&$><'! 4.7.5.2 Testing for MySQL
4.7.5.3 Testing for SQL Server
cmd1|cmd2 : Uses of | will make 4.7.5.4 Testing PostgreSQL
command 2 to be executed 4.7.5.5 Testing for MS Access
whether command 1 execution is 4.7.5.6 Testing for NoSQL
successful or not. Injection
cmd1;cmd2 : Uses of ; will make 4.7.5.7 Testing for ORM
Injection
command 2 to be executed
4.7.5.8 Testing for Client-side
whether command 1 execution is
4.7.6 Testing for LDAP Injection
successful or not. 4.7.7 Testing for XML Injection
cmd1||cmd2 : Command 2 will 4.7.8 Testing for SSI Injection
only be executed if command 1 4.7.9 Testing for XPath Injection
execution fails. 4.7.10 Testing for IMAP SMTP
cmd1&&cmd2 : Command 2 will Injection

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 6 of 11
:
a
 only be executed if command 1 4.7.11 Testing for Code Injection
execution succeeds. 4.7.11.1 Testing for File
$(cmd) : For example, echo Inclusion
4.7.12 Testing for Command
$(whoami) or $(touch
Injection
test.sh; echo 'ls' >
4.7.13 Testing for Format String
test.sh) Injection
cmd : It’s used to execute a 4.7.14 Testing for Incubated
specific command. For example, Vulnerability
whoami 4.7.15 Testing for HTTP Splitting
>(cmd): >(ls) Smuggling
<(cmd): <(ls) 4.7.16 Testing for HTTP
Incoming Requests
4.7.17 Testing for Host Header
Code Review Dangerous Injection
API 4.7.18 Testing for Server-side
Template Injection
Be aware of the uses of following API 4.7.19 Testing for Server-Side
as it may introduce the command Request Forgery
injection risks. 4.7.20 Testing for Mass
Assignment
Java 4.8 Testing for Error Handling
4.8.1 Testing for Improper Error
Runtime.exec()
Handling
4.8.2 Testing for Stack Traces
C/C++
4.9 Testing for Weak
Cryptography
system
4.9.1 Testing for Weak Transport
exec
Layer Security
ShellExecute 4.9.2 Testing for Padding Oracle
4.9.3 Testing for Sensitive
Python Information Sent via
Unencrypted Channels
exec
4.9.4 Testing for Weak
eval Encryption
os.system 4.10 Business Logic Testing

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 7 of 11
:
a
 os.popen 4.10.0 Introduction to Business
subprocess.popen Logic
subprocess.call 4.10.1 Test Business Logic Data
Validation
PHP 4.10.2 Test Ability to Forge
Requests
system 4.10.3 Test Integrity Checks
shell_exec 4.10.4 Test for Process Timing
4.10.5 Test Number of Times a
exec
Function Can Be Used Limits
proc_open
4.10.6 Testing for the
eval Circumvention of Work Flows
4.10.7 Test Defenses Against
Remediation Application Misuse
4.10.8 Test Upload of
Sanitization Unexpected File Types
The URL and form data needs to be 4.10.9 Test Upload of Malicious
sanitized for invalid characters. A deny Files
4.10.10 Test Payment
list of characters is an option but it may
Functionality
be difficult to think of all of the
4.11 Client-side Testing
characters to validate against. Also
4.11.1 Testing for DOM-Based
there may be some that were not Cross Site Scripting
discovered as of yet. An allow list 4.11.1.1 Testing for Self DOM
containing only allowable characters or Based Cross-Site Scripting
command list should be created to 4.11.2 Testing for JavaScript
validate the user input. Characters that Execution
4.11.3 Testing for HTML
were missed, as well as undiscovered
Injection
threats, should be eliminated by this
4.11.4 Testing for Client-side
list.
URL Redirect
General deny list to be included for 4.11.5 Testing for CSS Injection
command injection can be | ; & $ > < 4.11.6 Testing for Client-side
Resource Manipulation
' \ ! >> #
4.11.7 Testing Cross Origin
Escape or filter special characters for Resource Sharing

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 8 of 11
:
a
windows, ( ) < > & * ‘ | = ? ; [ ] ^ 4.11.8 Testing for Cross Site
~ ! . " % @ / \ : + , ` Escape or filter Flashing
special characters for Linux, { } ( ) > 4.11.9 Testing for Clickjacking
4.11.10 Testing WebSockets
<&*‘|=?;[]$–#~!."% /\
4.11.11 Testing Web Messaging
:+,`
4.11.12 Testing Browser Storage
Permissions 4.11.13 Testing for Cross Site
Script Inclusion
The web application and its
4.11.14 Testing for Reverse
components should be running under Tabnabbing
strict permissions that do not allow 4.12 API Testing
operating system command execution. 4.12.0 API Testing Overview
Try to verify all this information to test 4.12.1 API Reconnaissance
from a gray-box testing point of view. 4.12.99 Testing GraphQL
5. Reporting
Tools 5.1 Reporting Structure
5.2 Naming Schemes
OWASP WebGoat Appendix A. Testing Tools
Commix Resource
Appendix B. Suggested Reading
Appendix C. Fuzzing
References Appendix D. Encoded Injection
Appendix E. History
Penetration Testing for Web Appendix F. Leveraging Dev
Applications (Part Two) Tools
CWE-78: Improper Neutralization
of Special Elements used in an OS
Command (‘OS Command Upcoming OWASP
Injection’)
Global Events
ENV33-C. Do not call system()
OWASP Global AppSec EU
2025

May 26-30, 2025

OWASP Global AppSec US

2025 - Washington, DC

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 9 of 11
:
a
 November 3-7, 2025

OWASP Global AppSec US

2026 - San Francisco, CA

November 2-6, 2026

Edit on GitHub

Spotlight: Blend-ed

Blend-ed helps businesses create and deliver high-impact training programs at

scale. Harnessing the power of Open edX—Learning Software Technology built by
Harvard and MIT and trusted by top-tier organisations like Microsoft, IBM, Xuetang
and Redis—Blend-ed's Learning Cloud offers a science-backed, user-friendly
learning management system designed to drive engagement, improve retention,
and maximize product adoption. Blend-ed Learning Cloud supports a diverse range
of content formats, including interactive videos, simulations, AI-enhanced
mentoring, gamified modules, virtual labs, and dynamic discussion boards. The
platform is available across web, Android, and iOS applications, ensuring seamless
access for all users.

Corporate Supporters

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 10 of 11
:
a
 Become a corporate supporter

HOME PROJECTS CHAPTERS EVENTS  

ABOUT PRIVACY SITEMAP CONTACT

OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days,
AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference,
and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all
content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without
warranty of service or accuracy. For more information, please refer to our General Disclaimer.
OWASP does not endorse or recommend commercial products or services, allowing our
community to remain vendor neutral with the collective wisdom of the best minds in software
security worldwide. Copyright 2025, OWASP Foundation, Inc.

https://owasp.org/www-project-web-security-testing-guide/l 7-Input_Validation_Testing/12-Testing_for_Command_Injection 03.02.25, 21 23

Page 11 of 11
:
a