Hello everyone. Today, we're going to talk about command injection issues. First off, we're going to talk about what command injection is and why it's a vulnerability, and then we're going to go over an example and some Java API uses to watch out for, and then we're going to talk about strategies for mitigation. After this lesson, you'll be able to describe and discuss command injection issues, as well as be able to formulate a plan to prevent them from occurring. So, let's go. Command injection happens when a Web application takes some user controlled data and uses that user controlled data as input into a command. So, it becomes part of a command that is then passed on to a shell or an OS command call. A malicious attacker can manipulate the user controlled data to then run their own OS command. Since the OS command calls through the web application is done under the same privileges as a web application process, then the malicious attacker has effectively gain those same privileges. So, for example, if a Web application is vulnerable to a command injection, then through that vulnerability, a malicious attacker can then create a backdoor to eventually perform data exfiltration. Now, here is a list of API usages in Java that you need to watch out for, and this is where you pay extra attention in your Web applications. This is because the use of these Java APIs has a possibility of introducing command injection vulnerabilities, and it depends on how they are used. So, I would highly encourage you to become familiar with a set of API commands, and how they are used normally, and then think about how you could eventually inject malicious user data into them. Here's an example of a vulnerability that could arise using the runtime.getRuntime.exec Java API call. Here, I'll note that the variable called args is a user controlled parameter, and using a shell redirection character like the pipe. So, here's the character pipe. The attacker can redirect the initial command, and then call Netcat, and to listen in on port 8080. So in general, what you want to avoid is allowing shell control flow characters like pipe or ampersand or greater than or less than character. These are all called shell controlled flow characters. You want to basically validate your user controlled data before any further processing, and again you want to use whitelisting to basically give a set of commands that are allowed to be run on a constrain-to-string data to be only alphanumeric, and also use API calls that don't support command training. For example, using process builder, where as input the command name is separate from its command arguments, and you would do these if you have to use user-controlled data as input into an OS command. However, in general, you should avoid placing user-controlled data into these command calls that will eventually be processed by a shell. In summary, we chatted about what command injection is, and we talked about a particular example, and then we talked about some strategies for mitigating command injection issues. Thanks for listening.