Command Injection Protection

Protection Module: CommandInjection

Prevents OS command injection attacks through input validation and process execution monitoring.

Available for:

• ASP.NET Core
• ASP.NET Framework
• Azure Functions
• Desktop Applications

How It Works

Command Injection Protection monitors process execution and validates input used in shell commands.

Detection Methods:

• Command Separator Detection - Identifies ;, |, &, &&, ||
• Shell Metacharacter Analysis - Detects $(), `, >, <
• Process Execution Monitoring - Tracks Process.Start() calls
• PowerShell Detection - Identifies PowerShell execution attempts
• Encoded Command Detection - Detects Base64 and hex-encoded commands

Common Attack Patterns:

• Command chaining (; whoami)
• Pipe attacks (| cat /etc/passwd)
• Subshell execution (`whoami`)
• PowerShell encoded commands
• Newline injection (%0a attacks)

Configuration

{
  "protections": {
    "CommandInjection": {
      "enabled": true,
      "action": "block"
    }
  }
}

{
  "protections": {
    "CommandInjection": {
      "enabled": true,
      "action": "block"
    }
  }
}

ASP.NET Core

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.CommandInjection, ActionType.Block)
);

builder.Services.AddBytehideMonitor(monitor => monitor
    .WithProtection(ProtectionModuleType.CommandInjection, ActionType.Block)
);

Attack Examples

Command Chaining

# Input: "file.txt; rm -rf /"
# Status: BLOCKED

# Input: "file.txt; rm -rf /"
# Status: BLOCKED

Pipe Injection

# Input: "file.txt | cat /etc/passwd"
# Status: BLOCKED

# Input: "file.txt | cat /etc/passwd"
# Status: BLOCKED

Subshell Execution

# Input: "file.txt; $(whoami)"
# Status: BLOCKED

# Input: "file.txt; $(whoami)"
# Status: BLOCKED

PowerShell Injection

# Input: "file.txt; powershell -enc base64payload"
# Status: BLOCKED

# Input: "file.txt; powershell -enc base64payload"
# Status: BLOCKED

Platform Compatibility

Related Protections

• Path Traversal
• SQL Injection