PCI scan warnings about time-based command injection

Automated scanners commonly attempt time-based command injection by injecting payloads such as:

• | ping 127.0.0.1
• `ping -c 1 127.0.0.1`
• Variants combined with quoting or comment characters

The scanner then measures response times and attempts to correlate delays with the injected payload, assuming that any increase in response time indicates command execution.

No command output is required for the scanner to raise a finding.

Time-based detection is inherently unreliable. A delayed response does not prove that a command was executed.

Common non-vulnerable causes of increased response times include:

• Application-level filtering or search logic
• Database query complexity or cache misses
• Web application firewall inspection
• CDN or bot-mitigation delays
• Rate limiting or request queuing
• Input normalisation or sanitisation paths

On ShopWired, query string parameters are treated purely as strings and are never passed to a system shell. In these cases, command injection is not technically possible regardless of payload.

These characteristics strongly suggest a false positive rather than a real vulnerability:

• No command output is returned in the response
• The payload is reflected or ignored rather than executed
• Response delays are inconsistent or disproportionate to the injected “sleep” time
• Requests are redirected or normalised by the application
• There is no application code path that executes OS commands using user input

True command injection produces consistent, predictable timing behaviour and typically allows observable output or side effects.

ShopWired does not pass user-supplied HTTP parameters to the operating system shell.

• Request parameters are handled at application level only
• No use of system command execution functions for request processing
• No shell context exists for storefront filtering or navigation parameters
• Input is treated as data, not executable instructions

As a result, injected shell metacharacters cannot trigger command execution.

Time-based command injection findings raised solely on response timing do not constitute evidence of a vulnerability.

Where:

• No OS command execution occurs
• No command output is observable
• No shell execution functions are used
• Input is not evaluated in a command context

the finding should be classified as informational or a false positive.

This aligns with PCI DSS requirements, which focus on actual exploitability rather than heuristic inference.

If your PCI scan flags a command injection vulnerability based only on timing analysis, you should provide the following explanation to your PCI assessor or scanning provider: