Codecademy Logo

Don't Mean To Inject But Here Comes Shell Injection Attacks

Identifying Shell Injection Vulnerabilities - Backend

If you have access to the back-end code, you can look for shell injection vulnerabilities by looking for places where shell commands are executed. If you find one that takes unsanitized or poorly sanitized user input, you’ve probably found a shell injection vulnerability!

Identifying Shell Injection Vulnerabilities - Frontend

If you don’t have access to the back-end code, you can still look for shell injection vulnerabilities! If you think there’s an input field that is used by the server to execute shell commands, you can try providing malformed inputs that contain special characters used by the shell and/or attempt harmless demonstrations of shell injection.

Preventing Shell Injection

The best way to prevent shell injection is to not execute shell commands based on user input. If there is no way to avoid doing so, the input should be carefully sanitized and validated to ensure it cannot cause unexpected behavior.

Shell Injection Vulnerabilities

Shell Injection is a very dangerous type of injection vulnerability that can occur when a server executes shell commands based on user input from a website.

Normal use of shells

It’s not abnormal for programs, including website backends, to use shell commands. Shells provide a powerful and convenient method of allowing programs to invoke and “talk” to one another.

The dangers of shell injection

Shell injection is very dangerous because of how much power it can give an attacker over a server. Even in a best case scenario, it still gives the attacker the same permissions and access as the webserver software itself.