Injection: Command Injection¶

Identifier: command

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Command injection vulnerabilities occur when applications allow user input to affect system commands without proper validation, potentially giving attackers full control over parts of the system.

How we test: We inject command injection payloads into request parameters and analyze responses to detect if system commands are executed. We test for various command injection techniques across different operating systems and check if user input is properly sanitized before being used in command execution.

Execution conditions (BLST):

Runs when this test is enabled, arguments are present, and coverage is OK, EMPTY_RESPONSE, VALIDATION_ERROR, or SERVER_ERROR.

References:

https://owasp.org/www-community/attacks/Command_Injection

Configuration¶

Example¶

Example configuration:

---
security_tests:
  command:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.