OS command injection (also called OS command execution or shell injection) is a serious vulnerability where an attacker can inject malicious commands into a web app, potentially running them on the server’s operating system. This could lead to full server compromise, data theft, or even remote code execution. Finding it manually in Burp Suite is exciting for bug bounty hunters because it often pays big rewards (e.g., $1,000–$10,000 on HackerOne). But you need to be smart about it — don’t just fuzz randomly; start with indicators to see if the site is vulnerable.

In this guide, I’ll explain what I’d look for first on a target website to spot potential OS command injection risks, then walk you through manual steps in Burp Suite to test and exploit it. This is based on real-world bug bounty practices, like those from PortSwigger’s Web Security Academy and HackerOne reports. Remember, always test ethically in scope — use legal targets like labs or bug bounty programs. Let’s break it down step by step.

Step 1: Initial Recon — What to Look for on the Website to Spot Potential OS Command Injection