Domain 04 / 12

Input & Injections security audit

Close every injection path — from SQL and command execution to XSS, SSRF, XXE and unsafe uploads.

  • 58 checks
  • SQLi · XSS · CSRF · SSRF · XXE · Deserialization · Upload

Run the audit See example checks

What securmyapp checks

Inside the Input & Injections domain

This is the Input & Injections domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Input & Injections domain targets OWASP's most damaging class of bugs. securmyapp validates that every input is checked against an allowlist and that queries are parameterized, then hunts SQL, NoSQL, LDAP, OS-command, template (SSTI) and code injection, plus XSS, CSRF, SSRF, XXE, insecure deserialization and unsafe file upload.

Coverage areas

58 atomic checks span these sub-domains.

  • Validation

    Server-side allowlist validation on all inputs.

  • SQL / NoSQL / ORM

    Parameterized queries and injection testing, including blind SQLi.

  • Command & code

    OS command, template (SSTI) and eval/deserialize injection.

  • XSS & CSRF

    Reflected/stored/DOM XSS and cross-site request forgery.

  • SSRF & XXE

    Server-side request forgery and XML external entity attacks.

  • Deserialization & upload

    Unsafe deserialization and file-upload validation.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Input & Injections security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
SQL injection (parameterization)CriticalQueries built by concatenation instead of parameterization.CWE-89 · A03:2021 · WSTG-INPV-05
OS command injectionCriticalCommand separators reaching unparameterized system calls (RCE).CWE-78 · A03:2021
Code injection (eval/deserialize)CriticalInputs passed to eval/exec/dynamic import — direct RCE.CWE-94 · A03:2021
SSTI (template injection)CriticalTemplates that render user input, a frequent RCE path.CWE-1336 · WSTG-INPV-18
NoSQL injectionHighUnsanitized $ne/$gt/$where operators enabling auth bypass.CWE-943 · A03:2021
Server-side input validationHighMissing allowlist validation — the root of many injections.ASVS V2 · A03:2021

Vulnerabilities we catch

  • SQL, NoSQL, LDAP and ORM injection — including blind SQLi
  • OS-command and eval/deserialize injection leading to RCE
  • Server-side template injection (SSTI)
  • Reflected, stored and DOM-based cross-site scripting (XSS)
  • SSRF, XXE, CRLF and host-header injection
  • Insecure deserialization and unrestricted file upload

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Input & Injections — questions & answers

Which injection types are covered?

SQL, NoSQL, LDAP, XPath, ORM, OS-command, template (SSTI) and code injection, plus XSS, CSRF, SSRF, XXE, CRLF/header injection, insecure deserialization and file-upload flaws.

Can it detect blind SQL injection?

Yes. Beyond static detection of unparameterized queries, an assisted check probes time- and boolean-based blind SQLi that leaves no visible output.

How are injection fixes verified?

Each fix (for example, switching to parameterized queries or output encoding) is committed atomically, then a real browser re-runs the affected flow against a healthy baseline to confirm nothing broke.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.