Details
Alert ID 200001
Alert Type Tool
Status alpha
Risk High
CWE 78
WASC
Technologies Targeted All
Tags CWE-78
OWASP_2021_A03
OWASP_2025_A05
TOOL_PTK

Summary

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

Generated by OWASP PTK DAST Module

Solution

Never concatenate untrusted input into shell commands. • Use fixed command allow-lists and parameterized process execution APIs (e.g. execve with argument arrays, never sh -c with user input). • Reject or strictly allow-list dangerous metacharacters and separators including |, ;, &, $, `, \n, (, ), {, }. • Run command-executing services with least privilege and strong sandboxing.

Other Info

References

Code

src/ptk/background/dast/modules/modules.json