Security Hub

Bring your software development workflows to security


Command injection

Signals & Triggers

On command execution
If user inputs are matched in the command


  • prevent command execution prevent command execution
  • block incoming http request block incoming http request
  • Send a slack notification Send a Slack notification
  • Send an email notification Send an email notification
  • POST to webhook
  • Log request stack trace


When an application relies on shell commands to perform transactions, it can lead to critical vulnerabilities, giving an attacker a way to access the underlying OS.

Let’s take a simple example: ls -l $directory_name. Assuming directory_name comes from the user input. Sending .; cat /etc/passwd will result in: ls .; cat /etc/passwd. The attacker just managed to extract highly sensitive server data through a simple injection.

Sqreen can detect and block HTTP requests vulnerable to command injections, without false positive by acting in-app.

Advanced details

On every command execution triggered by an HTTP request, Sqreen parses locally the shellcode about to be executed. It will look for non-sanitized commands - ls, touch, cat, rm, … - coming from user inputs that inject executable commands. They would allow attackers to perform arbitrary operations on the server.

No traffic redirection is performed. The analysis of the script happens inside the application thanks to Sqreen’s dynamic instrumentation of the system libraries.

By being in-app and running just before the Shell script is sent to the OS - the very last step in your app - we can guarantee zero false positives in the detection and protection of command injections.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen


No data collected

On attack
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)
  • Stack trace

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json


// This should be the first line of your app


$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s | bash

$ apt-get install --no-install-recommends sqreen-agent sqreen-php-extension

$ /usr/lib/sqreen/sqreen-installer config {your token}

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini


# Insert at the top of your app file (typically or

import sqreen


$ curl -o sqreen-latest-all.jar


// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo