If you have access to the back-end code, you can look for shell injection vulnerabilities by looking for places where shell commands are executed. If you find one that takes unsanitized or poorly sanitized user input, you’ve probably found a shell injection vulnerability!
If you don’t have access to the back-end code, you can still look for shell injection vulnerabilities! If you think there’s an input field that is used by the server to execute shell commands, you can try providing malformed inputs that contain special characters used by the shell and/or attempt harmless demonstrations of shell injection.
The best way to prevent shell injection is to not execute shell commands based on user input. If there is no way to avoid doing so, the input should be carefully sanitized and validated to ensure it cannot cause unexpected behavior.
Shell Injection is a very dangerous type of injection vulnerability that can occur when a server executes shell commands based on user input from a website.
It’s not abnormal for programs, including website backends, to use shell commands. Shells provide a powerful and convenient method of allowing programs to invoke and “talk” to one another.
Shell injection is very dangerous because of how much power it can give an attacker over a server. Even in a best case scenario, it still gives the attacker the same permissions and access as the webserver software itself.