My scan results include Remote OS Command Injection (ZAP plugin 90020) -- how should I investigate this finding?

Remote OS Command Injection is a timing-based ZAP plugin (90020) that HawkScan uses which tests command injection variations that returns content as well as blind command injection (CWE-78).

In the case of blind command injection, the scanner injects an innocuous sleep command into a request, then interprets the response based on the timing of the response it receives back, with and without the attack parameter. Depending on the technology flags in use, the Request could contain various elements along these lines such as:

If the scanner can induce delayed responses relative to requests without the sleep component, the alert will be triggered and included in the scan results. It is not triggered based on any particular type of HTTP code in the response (e.g., 200 or 302).

If the scanner returns this alert, it can be reproduced by copying the curl command output from the Validate button in the alert's Details page and issuing these variations in that request to the application in question:

If responses to requests containing the sleep command are consistently longer than without, that's an indication of the issue and a reason to investigate further.

See the Solution section of Remote OS Command Injection (90020)on the ZAP page and follow the guidance there.

You can use the linux 'time' command to generate timings associated with your curl commands.

For example, this curl took .01s from start to finish: