Java Command Injection From Header
Description
Detects command injection vulnerabilities in Java applications where HTTP header values can be used to execute arbitrary system commands. This occurs when user-controlled header parameters flow into ProcessBuilder execution methods without proper validation, allowing attackers to inject malicious OS commands.
Detection Strategy
• Identifies calls to ProcessBuilder.start() method in Java code
• Checks if the ProcessBuilder object is constructed using parameters derived from HTTP headers or user connections
• Reports a vulnerability when header/connection parameters flow directly into command execution without sanitization
• Focuses specifically on ProcessBuilder objects initialized with user-controlled data from request parameters
Vulnerable code example
import javax.servlet.http.HttpServletRequest;
public class CommandInjection {
public void processCommand(HttpServletRequest request) throws Exception {
// Dangerous: Unsanitized header directly used in command execution
String command = request.getHeader("command");
// Vulnerable: User input passed directly to system command...✅ Secure code example
import javax.servlet.http.HttpServletRequest;
import java.util.Arrays;
import java.util.List;
public class CommandInjection {
// Whitelist of allowed commands
private static final List<String> ALLOWED_COMMANDS = Arrays.asList(
"status", "version", "help"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.