Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

How AppTrana Prevents Command Injection WAF Bypass

Posted DateNovember 11, 2021
Posted Time 3   min Read

Rated #1 on Gartner Peer Insights with a 100% customer recommendation, Indusface WAF (Web Application Firewall) provides comprehensive, always-on, tailored security to applications and APIs. Being a next-gen WAF with advanced features, it keeps the application always available to legitimate users, enabling organizations and their teams to focus on what matters the most – the core business.

While WAF is leveraged by organizations to protect their applications, the number of bypasses orchestrated by attackers is growing globally. With the unearthing of vulnerabilities in security solutions that enable web app firewalls to be bypassed through command injection, what you may be wondering is if Indusface WAF is fully secure Is it possible for attackers to gain access to mission critical resources by bypassing this advanced web app firewall using such injections? Read on to find out.

Command Injections: An Overview

Typically, an application executes predefined commands to return output to the user. But, in some cases, the application may run arbitrary commands as specified by attackers on the host operating system and return output to the attackers. Command injection attacks are executed by leveraging the same privileges as the vulnerable application. It leads to server compromise and gives greater control of the target system to attackers.

Command injections are also referred to as OS Command Injection, Shell Command Injection, Shell Injection, and OS Injection. Here, there is no need for attackers to inject malicious code as the vulnerable application extends its default functionality to pass commands to the system shell. This is how they are different from Code Injections.

The Causes 

When the application accepts un-sanitized and unvalidated user inputs such as forms, cookies, HTTP headers, etc., there is a greater possibility of command injection. The presence of unpatched vulnerabilities in the application and/or the firewall itself allow attackers to bypass the WAF and reach the protected website.

How are Command Injections Used to Bypass Web App Firewalls? 

WAF bypass is leveraged by pen-testers and attackers to gain access to and control of the target systems. While pen-testing helps organizations to test the strength of the application firewall, the same cannot be said about hackers

Through reconnaissance, attackers/ pen-testers detect and fingerprint WAF used on their target website/ web application. Typically, they are done using readily available tools and manual probes, they identify key information about the WAF such – does it reveal itself? Does it use blacklisting, whitelisting, or hybrid models? They snoop for the existence of vulnerabilities and flaws in the application or the web app firewall itself.

Using this information, attackers manipulate commands to bypass the web firewall. In one of the recent bypasses, empty shells such as ${something} and ${thisdoesnotexist} were used to bypass a firewall product using command injection. Another variation leverages the rev command to bypass the firewall.

Indusface WAF 

An Overview 

Augmented with Global Threat Intelligence, security analytics, and thorough documentation, this next-gen WAF takes a risk-based approach to continuously detect risks through intelligent security scans and manual pen-testing. It instantly patches vulnerabilities found through the VM process until they are fixed by developers.

Through close traffic monitoring and analysis (behavior, pattern, and signatures), it intelligently decides whether to allow, block, challenge, or flag requests. It is effective against known and emerging threats in the fast-evolving threat landscape including SQLi, XSS, DDoS, and so on. Indusface WAF offers automated WAF bypass as a disaster recovery mechanism that can be used by customers to isolate if the issue is with WAF or application quickly. This is widely used by customers during major deployments and debugging.

Being a managed web application firewall, it is custom-built with surgical accuracy by certified experts to accommodate the needs and the context of the application. WAF rules are regularly tuned to minimize risks facing the application. The Indusface WAF offers 360-degree visibility, assures zero false positives, improves website performance, and ensures zero downtime.

Indusface WAF Mitigates Command Injection-led Bypasses

Pen-testers and white-hat hackers who found bypasses in the recent past believe that the command injection led WAF bypasses are applicable to other web application firewalls too, apart from the ones that were tested/ attacked.

Cognizant of this, Indusface WAF has taken measures to ensure such bypasses are prevented by not just custom-building the WAF but allowing clients to customize rulesets to prevent bypasses that aren’t blocked by default. Other ways in which command injection-led bypasses are prevented includes:

  • Input validation
  • Creating a whitelist of possible and acceptable inputs and formats.
  • Setting a bypass fleet to ensure traffic doesn’t access the origin server when the WAF is bypassed.
  • Avoiding system calls and user inputs, wherever possible.
  • Secure usage of execFile()
  • Avoiding default configurations.
  • Constant security updates


A WAF is no longer a silver bullet capable of eliminating the possibilities of attacks altogether, especially given the fast-paced digital transformation, technological advances, rapidly evolving threat landscape, and ever-expanding attack surface. However, next-gen security products such as the Indusface WAF keep evolving and augmenting their capabilities to keep providing tailored and comprehensive solutions that harden the organization’s security posture.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Fastly Alternatives
Top 5 Fastly WAF Alternatives in 2023

Understand the pros and cons of Fastly WAF and the top 5 Fastly alternatives, including AppTrana, Cloudflare, Imperva, AWS WAF, and Akamai.

Spread the love

Read More
How a WAF Works?
How Does a WAF Work?

WAF is the first line of defense between the app and the internet traffic. Here are the 8 ways that WAF uses to block malicious attacks.

Spread the love

Read More
Choosing a WAF
Six Key Considerations When Deploying a Web Application Firewall 

Looking for a web application firewall? Consider these six key consideration to make an informed choice for your web security needs.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!