Command Injection in String Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | CommandInjectionInStringFieldsFuzzer |
| Log Key | CIISF |
| Description | This fuzzer sends OS command injection payloads into string fields to detect command injection vulnerabilities. It attempts to trigger unintended command execution on the server and analyzes responses for evidence such as system command output, file contents, or environment information leakage. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type string |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each string field with OS command injection payloads and sends the request to the API: 1. By default, a curated top list of command injection payloads is used to reduce execution time. 2. If the --includeAllInjectionPayloads flag is enabled, a comprehensive payload set covering Unix/Linux, macOS, and Windows command variants is used. 3. Payloads include command chaining ( ;, &&), subshell execution ($(...), `...`), newline injection, and language-level escape attempts. 4. Each payload is injected into one field at a time while keeping the rest of the request unchanged. |
| Conditions when this fuzzer will be skipped | When the request payload is empty OR no string fields are present in the request payload. |
| HTTP methods that will be skipped | HEAD, TRACE |
| Injection evidence detection | Analyzes the response body for indicators of command execution, including: • /etc/passwd content (root:, /bin/) • Output of id (uid=, gid=, groups=) • Output of ls -la (total, drwx, -rw-) • Output of uname -a (Linux, Darwin, kernel info) • Windows dir output (Directory of, Volume Serial Number) Multiple indicators strongly suggest successful command execution. |
| Reporting | Reports error if: 1. Multiple indicators of command execution are found (high confidence vulnerability). 2. Server responds with 5XX while processing injection payloads. 3. An unexpected response code is returned. Reports warn if: 1. Single indicator of command execution is detected (possible vulnerability, manual verification recommended). Reports info if: 1. Injection payload is properly rejected with 4XX. 2. Injection payload is accepted with 2XX but no execution evidence is found (validation gap). |