Regardless of the programming language used to create the application or the operating system on which it runs, command injection is common in all applications. Command injection attacks can result in a variety of consequences, such as compromised data confidentiality and integrity or unapproved remote access to the system hosting the susceptible application. The recently found Shellshock flaw is a perfect example of a real, notorious command injection vulnerability that demonstrates the dangers of this kind of code injection. The research community has not paid much attention to the type of code injection, despite the fact that command injection assaults are common and have a significant impact. To the best of our knowledge, no specific software program exists that can automatically identify and take advantage of command injection attacks, unlike those caused by SQL injection or cross-site scripting [1]. This study aims to close this gap by presenting COMMIX, an open-source tool that automates the process of finding and taking advantage of web application command injection vulnerabilities (COMMand Injection eXploitation). To address scenarios of serial exploitation, this tool offers a wide range of functions. Additionally, commix has a high success rate in determining whether a web application is susceptible to command injection attacks. Ultimately, we have identified multiple 0-day vulnerabilities in applications during the tool review process. The work’s overall contributions include offering a thorough analysis and classification of command injection attacks; describing and evaluating our open-source tool that automates the process of identifying; and taking advantage of command injection vulnerabilities that are found on a variety of web-based applications, ranging from web servers to home services (embedded devices).
Cite this paper
Akinmerese, O. , Fasanya, S. , Aderotoye, D. , Adingupu, N. , Ezeoke, E. , Muritala, R. , Lawal, O. , Akingbade, B. and Ifekandu, C. (2024). Defence against Command Injection Attacks in a Distributed Network Environment. Open Access Library Journal, 11, e1491. doi: http://dx.doi.org/10.4236/oalib.1111491.
Ali, S., Rauf, A. and Javed, H. (2019) SQLIPAI: An Authentication Mechanism against SQL Injection. Journal of Scientific Research in Europe, 38, 604-611. https://www.academia.edu/9892425/SQLIPA_An_Authentication_Mechanism_Against_SQL_Injection
Meijer, E. and Schulte, W. (2017) Unifying Tables, Objects and Documents. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=cdcd6b67a0b7ea867bb43e5fbb36679ad936b8cc#page=149
Prokhorenko, V., Choo, K.-K.R. and Ashman H. (2016) Web Application Protection Techniques: A Tax-onomy. Journal of Network and Computer Applications, 60, 95-112. https://www.sciencedirect.com/science/article/pii/S1084804515002908 https://doi.org/10.1016/j.jnca.2015.11.017
Scott, D. and Sharp, R. (2003) Establishing and Putting into Practice Application-Level Web Security Policies. IEEE Transactions on Knowledge and Data Engineering, 15, 772-783. https://doi.org/10.1109/TKDE.2003.1208998
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J. and Evans, D. Automatically Hardening Web Applications Using Precise Tainting. https://link.springer.com/content/pdf/10.1007/0-387-25660-1_20.pdf
Ray, D. (2013) Identifying and Averting Attacks Using Code Injection. Master’s Thesis, University of South Florida, Tampa. https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=5763&context=etd
Lawal, M.A., Sultan, A.B.M. and Shakiru, A.O. (2006) Systematic Literature Review on SQL Injection Attack. International Journal of Soft Computing, 11, 26-35. https://www.researchgate.net/publication/282377809_Systematic_literature_review_on_SQL_injection_attack
Guy-Vincent J. Injection of Commands. Univer-sity of Ottawa’s School of Information Technology and Engineering, Ontario, Cana-da.https://site.uottawa.ca/~gvj/Courses/CSI4539-OLD/lectures/CommandInjections.pdf
Qusay, H.M. and Rahman, M. Evaluation of Statistical Tools for Identi-fying Security Holes in the Source Code of Java and C/C Programs. The Uni-versity of Ontario Institute of Technology’s Department of Electrical, Computer, and Software Engineering, Oshawa, ON, Canada. https://arxiv.org/pdf/1805.09040
Jourdan, G. (2009) Securing Large Applica-tions against Command Injections. IEEE Aerospace and Electronic Systems Maga-zine, 24, 15-24. https://doi.org/10.1109/MAES.2009.5161718
AlBreiki, H.H. and Mahmoud, Q.H. (2014) Evaluation of Static Analysis Tools for Software Se-curity. 2014 10th International Conference on Innovations in Information Tech-nology (IIT), Al Ain, United Arab Emirates, 09-11 November 2014. https://doi.org/10.1109/INNOVATIONS.2014.6987569
Su, Z. and Wasser-man, G. (2006) The Essence of Command Injection Attacks in Web Applications. ACM SIGPLAN NOTICES, 41, 372-382. https://doi.org/10.1145/1111320.1111070
William, G., Orso, A. and Mano-lios, P. (2006) Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. SIGSOFT ‘06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Portland Ore-gon, USA, 5-11 November 2006, 175-185. https://doi.org/10.1145/1181775.1181797
