Prompt Injection in Headers Can Lead to Command Injection Vulnerabilities

jthack / ffufai

AI-powered ffuf wrapper

268 stars 40 forks source link

Prompt Injection in Headers Can Lead to Command Injection Vulnerabilities #4

Open bayegaspard opened 1 month ago

bayegaspard commented 1 month ago

Just like what I described in https://github.com/jthack/ffufai/issues/3 we can see both the URL and headers parameters are susceptible to RCE. For instance, a custom header could include any system commands like whoami with back ticks, leading to potential exploitation on the pentester's server.

bayegaspard commented 1 month ago

The same

thing can be seen for Max-per-class.

sh0z3n commented 1 month ago

exaclty , this part should be handled diffrently : ffuf_command = [args.ffuf_path] + unknown + ['-e', extensions] subprocess.run(ffuf_command)