How to prevent OS command injection?
Application Type
Traditional Web, Reactive

I'm new in Outsystems, I think these are silly questions but can someone help me:

Case 1: Is it possible to deploy without using an OS command call?

Case 2: If I have to use a function that calls an OS command, can the following 3 things be done?

1. Can Design to use libraries etc. without calling the function with a shell call

2. The parameters passed to the web application may not be output directly to the operating system command parameters.

3. All variables that make up the function's arguments can be checked to perform pre-authorization only.

Thanks for any suggestions


what do you mean with OS Command?
Can you clarify this a bit more?

I don't know if there is a function in the outsystem that can be used to execute a shell command?

if executing shell command, how can Outsystems protect against command execution attacks?


There is no such command as far as I know off.

Thank you for your response.

May I ask further: how to the web apps interacts with the underlying operating system?


Not sure to what interactions you refer, but this is a simplified list of the technology stack used by OutSystems:

  • For database server Oracle or MS SQL Server can be used.
  • On the front end, html5, CSS3 and JavaScript are used.
  • For reactive web and mobile ReactJS is used.
  • For mobile, the Cordova framework is used.
  • Extensions to the platform at the server side can be written in C#
  • Extensions to the front end can be written in JavaScript
  • In the cloud OutSystems is hosted on AWS
    • AWS EC2 instances for servers
    • AWS RDS to host MS SQL Server
    • IIS is used as web server to run the applications

More information about the OutSystems architecture of generated applications can be found in the following official OutSystems document:




In addition to the above comment. Web apps are hosted in IIS and they doesn't interact with OS directly.

They have there own Application pool and worker process. and if the app pool need to interact with OS (for example it needs any folder access) than we need to give permission. Only way you can call your shell command from outsystems web app is through .net extension 

Best Regards


hello Devendra

thanks for your support. So is there any .net extension available that I can refer to?

Hi Daniel.
Thanks for your support.

I just want to know that do the web application built with outsystems can interact with OS directly.

Sorry that my wording seems incorrect.

Hi Devendra,
Thanks for your support. I will refer to the above articles.

Best regards

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.