ZCE # Week # 1


Which functions can we use to mitigate command injection attack?

A. exec()
B. escapeshellarg()
C. system()
D. escapeshellcmd()


In a command injection attack, the attacker injects and executes command in the vulnerable application. In this situation, the application executes unwanted system shell commands (C-shell, Bash etc. on Unix/Linux, command shell on Windows etc.), like pseudo system shell and by this, an attacker becomes an authorized system user.

Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker through forms, cookies, HTTP Headers etc.

We can use escapeshellcmd() and escapeshellarg() to mitigate command injection attack.

escapeshellcmd() -- Escape shell metacharacters.
escapeshellarg() -- Escape a string to be used as a shell argument.

Answer: B & D