Injection: LLM Command Injection¶
Identifier:
llm_command_injection
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
LLM command injection occurs when an attacker can coerce a model that has plugin / tool / function-calling capabilities into executing system commands or code on the backend. Successful exploitation typically yields remote code execution.
How we test: We ask the LLM to execute a command (or invoke a tool) that triggers an outbound HTTP request to Escape's out-of-band collector at ssrf.tools.escape.tech, with a unique per-probe identifier baked into the URL. Variants include direct shell (curl OOB_URL), Python subprocess, encoded shell payloads, function-call abuse, and combined prompt-injection plus command. Confirmation uses two independent OOB signals - either is sufficient on its own: (a) the response body contains Escape's capture specifier H@k3d! (the model fetched the OOB URL and echoed the collector's response back), or (b) the OOB collector API confirms a callback was received tagged with our per-probe identifier. The two signals are independent so the check stays robust whether the model echoes the response or executes silently in the background.
Every probe emits a context.info event with the full prompt, the redacted response excerpt, and the raw HTTP request/response as attachments, so customers can independently audit what was sent.
References:
- https://genai.owasp.org/llmrisk/llm07-insecure-plugin-design/
- https://cwe.mitre.org/data/definitions/78.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.