https://www.secdev.uk/blog/tags/command-injection/ Recent content in Command Injection on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 18 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ Sat, 18 Jan 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-01-18-command-injection-beyond-os-system/ <p>When most developers hear &ldquo;command injection,&rdquo; they think of <code>os.system()</code> in Python or <code>Runtime.exec()</code> in Java. Those are the textbook examples, and most teams know to avoid them. But the more I researched this topic, the more I realised that command injection surfaces through dozens of less obvious APIs across every language, subprocess pipes, shell expansions, backtick operators, and even seemingly safe exec functions that become dangerous with the wrong arguments. This is one of my favourite vulnerability classes to dig into because the attack surface is so much wider than people realise. Let me walk you through command injection patterns across seven languages, from the obvious to the genuinely subtle.</p>