A remote code execution (RCE) vulnerability occurs when an application uses user-controlled input without sanitizing it. RCE is typically exploited in one of two ways. The first is by executing shell commands. The second is by executing functions in the programming language that the vulnerable application uses or relies on.

Executing Shell Commands

You can perform RCE by executing shell commands that the application doesn’t sanitize. A shell gives command line access to an operating system’s services. As an example, let’s pretend the site www.<example>.com is designed to ping a remote server to confirm whether the server ...

Get Real-World Bug Hunting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.