Security Test: Command Injection¶

Description¶

Default Severity:

Command injection happens when a program lets a user input affect system commands without proper checks, so an attacker can sneak in and run any command they want. This is really dangerous because it gives an attacker full control over parts of your system—imagine someone being able to delete files or steal data by exploiting a weak point in your app. It often occurs because developers assume user input is safe, and they don’t properly filter or validate what’s coming in. The impact can be severe, affecting data confidentiality and system integrity, and potentially turning your server into a launching pad for further attacks.

Reference:

https://owasp.org/www-community/attacks/Command_Injection

Configuration¶

Identifier: injection/command

Examples¶

All configuration available:

checks:
  injection/command:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options¶

Options can be set in the options key of the Security Test Configuration.

Property	Type	Default	Description
`skip_objects`	`List[string]`		List of objects that are to be skipped by the security test.

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM01:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-6`
CWE	`78`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RC:R`
CVSS Score	`8.5`