Reporting OS Command Injection
Hi Arachni,
I have been trying to reach somebody about a series of OS Command Injections I found with your scanner. HackerOne is assuming it is a false positive, but I am looking at the report, and feel like you are right about labelling it a critical threat. It looks like it affects the source, user email and login information pages. What would you use, other than Burp Suite, to recreate a command inject like the one in the attached file?
I told them the injection, signature and gave them the proof from report that I can generate from Arachni, so I'd like to know what you recommend I would do next.
Sincerely,
Patrick Kijek
- index.html 17.2 MB
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac