All Collections
Scan Findings
How does the Remote OS Command Injection test (90020) work in HawkScan?
How does the Remote OS Command Injection test (90020) work in HawkScan?

Interpreting Remote OS Command Injection findings in HawkScan

Anthony Stinn avatar
Written by Anthony Stinn
Updated over a week ago


My scan results include Remote OS Command Injection (ZAP plugin 90020) -- how should I investigate this finding?


Alert Behavior:

Remote OS Command Injection is a timing-based ZAP plugin (90020) that HawkScan uses which tests command injection variations that returns content as well as blind command injection (CWE-78).

In the case of blind command injection, the scanner injects an innocuous sleep command into a request, then interprets the response based on the timing of the response it receives back, with and without the attack parameter. Depending on the technology flags in use, the Request could contain various elements along these lines such as:

  • sleep

  • timeout /T

  • start-sleep -s

If the scanner can induce delayed responses relative to requests without the sleep component, the alert will be triggered and included in the scan results. It is not triggered based on any particular type of HTTP code in the response (e.g., 200 or 302).

Reproducing the Condition:

If the scanner returns this alert, it can be reproduced by copying the curl command output from the Validate button in the alert's Details page and issuing these variations in that request to the application in question:

  • with the sleep portion of the command removed

  • with the included sleep command

If responses to requests containing the sleep command are consistently longer than without, that's an indication of the issue and a reason to investigate further.

Resolving the Issue

See the Solution section of Remote OS Command Injection (90020)on the ZAP page and follow the guidance there.

Additional Information:


Similar timing-based Injection tests that HawkScan runs:

Using the linux time command to generate request/response timing information:

You can use the linux 'time' command to generate timings associated with your curl commands.

For example, this curl took .01s from start to finish:

time curl -v -X GET \


-H "Host: localhost:8020"\

-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0"\

-H "Pragma: no-cache"\

-H "Cache-Control: no-cache"\

-d ''

curl -v -X GET "http://localhost:8020" -H "Host: localhost:8020" -H -H -H 0.00s user 0.01s system 56% cpu 0.026 total

Did this answer your question?