A system command was successfully executed on your application's system. Command injections happen when a user manages to successfully execute arbitrary commands on the host's operating system by abusing a vulnerable endpoint.
To prevent command injection attacks:
- Never use user-submitted input in shell commands.
- If supported by your language, add
semgrepto your development process to ensure detection of potentially vulnerable system shell calls.
- Use proper input validation techniques to detect and prevent command injection. Keep in mind the input validation should be implemented in the backend as it will be easily bypassed if done in the frontend.
- skip_objects : List of objects that are to be skipped by the security test.
Ignore this check
- Escape Severity: HIGH
- OWASP: API10:2023
- PCI DSS: 6.5.1
- WASC: WASC-31
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RC:R
- CVSS_SCORE: 8.5