Reporting OS Command Injection

kijekpat's Avatar


03 Sep, 2019 07:18 PM

Hi Arachni,

I have been trying to reach somebody about a series of OS Command Injections I found with your scanner. HackerOne is assuming it is a false positive, but I am looking at the report, and feel like you are right about labelling it a critical threat. It looks like it affects the source, user email and login information pages. What would you use, other than Burp Suite, to recreate a command inject like the one in the attached file?

I told them the injection, signature and gave them the proof from report that I can generate from Arachni, so I'd like to know what you recommend I would do next.


Patrick Kijek

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Already uploaded files

  • index.html 17.2 MB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac