CAPEC Details
Name Command Delimiters
Likelyhood of attack Typical severity
High High
Summary An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Prerequisites Software's input validation or filtering must not detect and block presence of additional malicious command.
Execution Flow
Step Phase Description Techniques
1 Explore [Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
  • Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
  • Port mapping by exploring the operating system (netstat, sockstat, etc.)
  • TCP/IP Fingerprinting
  • Induce errors to find informative error messages
2 Explore [Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user
  • Spidering web sites for all available links
  • Inventory all application inputs
3 Experiment [Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
  • Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
  • Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
  • Enter command delimiters directly in input fields.
4 Exploit [Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.
Solutions Design: Perform allowlist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements.
Related Weaknesses
CWE ID Description
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-138 Improper Neutralization of Special Elements
CWE-140 Improper Neutralization of Delimiters
CWE-146 Improper Neutralization of Expression/Command Delimiters
CWE-154 Improper Neutralization of Variable Name Delimiters
CWE-157 Failure to Sanitize Paired Delimiters
CWE-184 Incomplete List of Disallowed Inputs
CWE-185 Incorrect Regular Expression
CWE-697 Incorrect Comparison
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Related CAPECS
CAPEC ID Description
CAPEC-137 An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.