What is Command Injection?
Command injection occurs when an application passes unsafe user input directly to a system shell. Attackers can execute arbitrary system commands, leading to full server compromise.
Common Exploits:
- Command chaining with semicolons (;)
- Command substitution with backticks (`)
- Pipe output to other commands (|)
- Conditional execution (&&, ||)
- Read files with cat, less, or similar
Before WAF: Vulnerable
Without Cloudflare WAF, shell commands execute on the server
Try Command Injection:
Or use cURL:
# Semicolon command chaining
curl "<your-worker-url>/api/ping?host=;whoami"
# Backtick command substitution
curl "<your-worker-url>/api/ping?host=`id`"
# Pipe to other commands
curl "<your-worker-url>/api/ping?host=|cat /etc/passwd"
# Command substitution with $()
curl "<your-worker-url>/api/ping?host=$(ls -la)"Vulnerability: User input directly concatenated into shell command without sanitization.
After WAF: Protected
With Cloudflare WAF, shell metacharacters are blocked
Enable Cloudflare Protection:
- Go to Cloudflare Dashboard → Security → WAF
- Enable "Cloudflare Managed Ruleset"
- Enable "OWASP Core Ruleset"
- Command injection rules block shell metacharacters
Result: Requests with shell metacharacters (;, |, `, $) are blocked at the edge.
Cloudflare WAF Protection
- ✓Shell Character Blocking: Block ; | & && || ` $()
- ✓Command Detection: Block common shell commands in params
- ✓OWASP Rules: Comprehensive injection protection