Domain 04 / 12
Input & Injections security audit
Close every injection path — from SQL and command execution to XSS, SSRF, XXE and unsafe uploads.
- 58 checks
- SQLi · XSS · CSRF · SSRF · XXE · Deserialization · Upload
What securmyapp checks
Inside the Input & Injections domain
This is the Input & Injections domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Input & Injections domain targets OWASP's most damaging class of bugs. securmyapp validates that every input is checked against an allowlist and that queries are parameterized, then hunts SQL, NoSQL, LDAP, OS-command, template (SSTI) and code injection, plus XSS, CSRF, SSRF, XXE, insecure deserialization and unsafe file upload.
Coverage areas
58 atomic checks span these sub-domains.
Validation
Server-side allowlist validation on all inputs.
SQL / NoSQL / ORM
Parameterized queries and injection testing, including blind SQLi.
Command & code
OS command, template (SSTI) and eval/deserialize injection.
XSS & CSRF
Reflected/stored/DOM XSS and cross-site request forgery.
SSRF & XXE
Server-side request forgery and XML external entity attacks.
Deserialization & upload
Unsafe deserialization and file-upload validation.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| SQL injection (parameterization) | Critical | Queries built by concatenation instead of parameterization. | CWE-89 · A03:2021 · WSTG-INPV-05 |
| OS command injection | Critical | Command separators reaching unparameterized system calls (RCE). | CWE-78 · A03:2021 |
| Code injection (eval/deserialize) | Critical | Inputs passed to eval/exec/dynamic import — direct RCE. | CWE-94 · A03:2021 |
| SSTI (template injection) | Critical | Templates that render user input, a frequent RCE path. | CWE-1336 · WSTG-INPV-18 |
| NoSQL injection | High | Unsanitized $ne/$gt/$where operators enabling auth bypass. | CWE-943 · A03:2021 |
| Server-side input validation | High | Missing allowlist validation — the root of many injections. | ASVS V2 · A03:2021 |
Vulnerabilities we catch
- SQL, NoSQL, LDAP and ORM injection — including blind SQLi
- OS-command and eval/deserialize injection leading to RCE
- Server-side template injection (SSTI)
- Reflected, stored and DOM-based cross-site scripting (XSS)
- SSRF, XXE, CRLF and host-header injection
- Insecure deserialization and unrestricted file upload
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Input & Injections — questions & answers
Which injection types are covered?
SQL, NoSQL, LDAP, XPath, ORM, OS-command, template (SSTI) and code injection, plus XSS, CSRF, SSRF, XXE, CRLF/header injection, insecure deserialization and file-upload flaws.
Can it detect blind SQL injection?
Yes. Beyond static detection of unparameterized queries, an assisted check probes time- and boolean-based blind SQLi that leaves no visible output.
How are injection fixes verified?
Each fix (for example, switching to parameterized queries or output encoding) is committed atomically, then a real browser re-runs the affected flow against a healthy baseline to confirm nothing broke.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.