Skip to content

Command Injection Analyzer

Configuration Name: CmdInjection

Description

Command Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain command-line attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).

Configuration Parameters

The CommandInjection analyzer has one optional configuration parameter that may be specified when using the analyzer in a configuration.

  • allFields (boolean): When true, attack URLs are sent in all input fields.

Example Configuration

testProfile:
  analyzers:
    - kind: CmdInjection
      allFields: false

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-20 Improper Input Validation The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. Application should sanitize inputs and respond with a client error for invalid input data. medium