Validating command injection vulnerabilities with HTTP traffic