To perform command-injection testing against a target using HTTP request confirmation, you will need to have a remote system that is running one or more web applications that are vulnerable to command injection. In the examples provided, an instance of Metasploitable2 is used to perform this task. Metasploitable2 has several preinstalled vulnerable web applications running on the TCP port 80. For more information on setting up Metasploitable2, refer to the Installing Metasploitable2 recipe in Chapter 1, Getting Started. Additionally, this section will require a script to be written to the filesystem using a text editor such as Vim or GNU nano. For more information on writing scripts, refer to the Using text editors (Vim and GNU nano) recipe in Chapter 1, Getting Started.