Standard attack pattern

Draft

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

Last updated June 1, 2026

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

11

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

CAPEC-15 (Command Delimiters) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
- Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
- Port mapping by exploring the operating system (netstat, sockstat, etc.)
- TCP/IP Fingerprinting
- Induce errors to find informative error messages
Step 2
Explore
[Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user
- Spidering web sites for all available links
- Inventory all application inputs
Step 3
Experiment
[Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
- Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
- Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
- Enter command delimiters directly in input fields.
Step 4
Exploit
[Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

What the attacker needs

Prerequisites

Software's input validation or filtering must not detect and block presence of additional malicious command.

Skills required

Medium skill: The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.

Resources required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Consequences

What a successful CAPEC-15 attack can achieve.

Execute Unauthorized Commands

Affects: Confidentiality, Integrity, Availability

Run Arbitrary Code

Read Data

Affects: Confidentiality

How to mitigate it

Defenses that reduce the risk of CAPEC-15.

Design: Perform allowlist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.

Examples

By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior. LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.

Frequently asked questions

Common questions about CAPEC-15.

What is CAPEC-15?

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

How does a Command Delimiters attack work?

It typically unfolds over 4 phases. It begins with: [Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

How do you prevent CAPEC-15?

Design: Perform allowlist validation against a positive specification for command length, type, and parameters.

What weaknesses does CAPEC-15 target?

CAPEC-15 exploits 11 CWE weaknesses, including CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')), CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')), CWE-93 (Improper Neutralization of CRLF Sequences ('CRLF Injection')), CWE-138 (Improper Neutralization of Special Elements).

How severe is CAPEC-15?

MITRE rates CAPEC-15 as High severity with high likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-15

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

Overview

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Child

Frequently asked questions

What is CAPEC-15?

How does a Command Delimiters attack work?

How do you prevent CAPEC-15?

What weaknesses does CAPEC-15 target?

How severe is CAPEC-15?

References

Defend against CAPEC-15