C Sharp Command Injection Process Start
Description
Detects command injection vulnerabilities in C# code where untrusted user input can reach dangerous process execution methods like Start() or Execute(). This could allow attackers to execute arbitrary system commands through the application.
Detection Strategy
• Check for method calls named 'Start' or 'Execute'
• Verify the method call is made through process execution classes like Process or ProcessStartInfo
• Determine if user-controlled data can flow into these execution methods
• Report a vulnerability when user input reaches dangerous process execution functions without proper sanitization
Vulnerable code example
using System.Diagnostics;
using Microsoft.AspNetCore.Mvc;
public class Executor {
public void Execute(HttpRequest req) {
// VULNERABLE: Direct use of unvalidated user input in Process.Start
string command = req.QueryString["command"];
Process.Start(command); // Command injection vulnerability...✅ Secure code example
using System.Diagnostics;
using Microsoft.AspNetCore.Mvc;
public class Executor {
// Defines allowed commands to prevent arbitrary execution
private static readonly Dictionary<string, string> AllowedCommands = new()
{
["status"] = "systeminfo",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.