FixVibe

// probes / spotlight

OS Command Injection

When user input becomes part of a shell command, the shell runs whatever the attacker writes.

Il gancio

Command injection takes you straight from web parameter to shell prompt. There is no chaining required, no second-stage payload, no privilege escalation gymnastics — the moment the attacker controls part of a command line that gets handed to a shell, the shell does what shells do. They cluster around image processing, PDF generation, format conversion, ping/whois utilities, and anywhere a developer thought 'I'll just shell out for this one quick thing.' The fix is structural and well-understood, but the bugs persist because shelling out *feels* easier than reaching for a proper library. The attacker, who is fluent in shell metacharacters, disagrees.

Come funziona

OS command injection appears when request input reaches an operating-system command boundary without strict separation between command and data. Severe cases let attackers influence server-side process execution.

Il raggio d'azione

Remote code execution as the application user. From there: read every file the user can read (env vars, secrets files, database credentials), exfiltrate over a reverse shell, plant a persistent backdoor, pivot to adjacent services, or — if the host runs unpatched — local privilege escalation to root. On serverless platforms the blast radius is smaller (ephemeral function invocation) but still includes every secret in the function's environment. Ransomware operators love this class of bug because it's a one-shot pivot from public web to internal lateral movement.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Don't shell out at all when a library can do the job. ImageMagick has bindings for every language; same for ffmpeg, pdf-lib, and the rest. Calling out to the shell for `convert` or `gs` is rarely the right shape. When you must execute a binary, pass arguments as an array — `child_process.execFile(cmd, [arg1, arg2])` in Node, `subprocess.run([cmd, arg1, arg2], shell=False)` in Python — never construct a command string. The arguments-as-array form bypasses the shell entirely; the binary's argv parser is far less expressive than `/bin/sh`. As a second layer, validate inputs against a strict allowlist before they reach any subprocess code path. As a third layer, run the subprocess in a least-privileged sandbox — separate Linux user, no shell access, no network egress, read-only filesystem mounts where possible. SELinux / AppArmor profiles cost nothing once you have them. The principle: assume command injection will eventually happen and limit the damage from the inside.

In sintesi

Command injection is one of the few bug classes where 'do it the right way' is shorter to write than 'do it the wrong way safely.' Pass argv arrays. Skip the shell. Treat user input that touches a subprocess as radioactive.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Sonde attive
127
test eseguiti in questa categoria
modules
48
controlli dedicati a sonde attive
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

OS Command Injection — Vulnerabilità in primo piano | FixVibe · FixVibe