command injection

Command injection is the insertion of HTML code into dynamically generated output by a malevolent hacker (also known as a cracker) seeking unauthorized access to data or network resources...

Command injection is an attack method in which a hacker alters dynamically generated content on a Web page by entering HTML code into an input mechanism, such as a form field that lacks effective validation constraints. A malevolent hacker (also known as a cracker) can exploit that vulnerability to gain unauthorized access to data or network resources. When users visit an affected Web page, their browsers interpret the code, which may cause malicious commands to execute in the users' computers and across their networks.

Originally known as shell command injection, the process was accidentally discovered in 1997 by a programmer in Norway. The first command injection resulted in the unintended deletion of Web pages from a site, removed as easily as files from a disk or hard drive.

The most common form of command injection is known as SQL command injection or simply SQL injection, a security exploit in which a cracker adds SQL (Structured Query Language) code to a Web form input box to gain access to resources or make changes to data.

This was first published in January 2006

Continue Reading About command injection

Dig Deeper



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by: