Introduction to OS Command Injections (2021)

Learn hands-on how to perform and defend against OS Command Injections
Rating: 4.7 out of 5 (38 ratings)
5,857 students
English [Auto]
Concepts of OS Command Injections
OS Command Injection techniques
Manual web-based attacks
Automated attacks with Commix
Generating and exploiting backdoor shells
Security controls recommended by experts to protect your own applications


  • Experience working with web applications
  • Experience with the command line (either Linux or Windows)


Welcome to this course on OS Command Injections! OS Command Injections are part of the OWASP Top 10 Web Application Security Risks, and as you will see in this course, this threat can result in serious damages if left unchecked.

We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of command injections and learn about techniques that can be used to exploit vulnerable targets. After that, we go full-on offensive and perform manual injection attacks as well as automated attacks with a tool called Commix.

Once we find vulnerabilities, we generate and plant persistent backdoors that can be exploited to create shells, giving us access to the target server any time we want.

After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the application layer. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections.

Please note: Performing these attacks on environments you do not have explicit permissions for is illegal and will get you in trouble. That is not the purpose of this course. The purpose is to teach you how to secure your own applications, and it will provide the steps needed to create your own personal, safe, and legal environments to exploit for learning purposes.


Topics we will cover together:

  1. How to set up a Kali Linux Virtual Machine for free

  2. How to configure and create safe & legal environments using Docker containers inside of Kali

  3. A quick command line refresher

  4. An explanation of what OS Command injections are and how they work

  5. OS Command injection techniques

  6. How to perform OS Command injections by hand

  7. How to perform OS Command injections with automated tools (Commix)

  8. How to defend against injections at the application layer

  9. How to find vulnerabilities by looking at code

  10. Proper coding techniques to prevent OS Command Injections



To understand how OS Command injections work and how to perform them as well as defend against them, you must have:

  • Experience working with web applications

  • Experience with OS commands (Linux or Windows)

Suggestion: You may also wish to take our free Introduction to Application Security (AppSec) course to familiarize yourself with the concepts of Application Security, and we have an SQL Injection course available for free as well on Udemy.



My name is Christophe Limpalair, and I have helped thousands of individuals pass IT certifications and learn how to use the cloud for their applications. I got started in IT at the age of 11 and unintentionally fell into the world of cybersecurity.

As I developed a strong interest in programming and cloud computing, my focus for the past few years has been training thousands of individuals in small, medium, and large businesses (including Fortune 500) on how to use cloud providers (such as Amazon Web Services) efficiently.

I've taught certification courses such as the AWS Certified Developer, AWS Certified SysOps Administrator, and AWS Certified DevOps Professional, as well as non-certification courses such as Introduction to Application Security (AppSec), Lambda Deep Dive, Backup Strategies, and others.

Working with individual contributors as well as managers, I realized that most were also facing serious challenges when it came to cybersecurity.

Digging deeper, it became clear that there was a lack of training for AppSec specifically. It's time to take security into our own hands and to learn how to build more secure software in order to help make the world a safer place! Join me in the course, and we'll do just that!

I welcome you on your journey to learning more about OS Command injections, and I look forward to being your instructor!

Who this course is for:

  • Web Developers
  • Pentesters
  • Server administrators
  • Application Security Engineers
  • Risk Analysts
  • Security Analysts

Course content

4 sections10 lectures1h 20m total length
  • Whoami and about the course
  • Setting up our lab environment


Co-Founder of Cybr, entrepreneur, and developer at heart
Christophe Limpalair
  • 4.6 Instructor Rating
  • 419 Reviews
  • 24,553 Students
  • 5 Courses

After writing his first lines of code at the age of 11, Christophe developed a passion for technology. Frustrated with the state & cost of education, he spent the last few years training individuals and organizations (SMB & F500) on how to use the cloud by pioneering hands-on training technologies. After his journey of building two successful IT businesses to acquisition in the last six years, he realized that most struggle with building secure software, so he co-founded Cybr to help make the world a more secure place through community and training.

We're here to help you build your cybersecurity career
Cybr Training
  • 4.6 Instructor Rating
  • 419 Reviews
  • 24,567 Students
  • 5 Courses

We are an online community and training platform, and we're here to help you build your cybersecurity career.

Cybr was founded in 2020 by veterans of the IT and training industries who have helped individuals learn new skills and get certified, and businesses deploy training initiatives across their organization.

We believe that the world can be a safer place through training and community, and we intend to carry out that mission one person at a time! Join us on this mission and build your cybersecurity career regardless of your current skill level.