Regardless of the programming language used to create the application or the operating system on which it runs, command injection is common in all applications. Command injection attacks can result in a variety of consequences, such as compromised data confidentiality and integrity or unapproved remote access to the system hosting the susceptible application. The recently found Shellshock flaw is a perfect example of a real, notorious command injection vulnerability that demonstrates the dangers of this kind of code injection. The research community has not paid much attention to the type of code injection, despite the fact that command injection assaults are common and have a significant impact. To the best of our knowledge, no specific software program exists that can automatically identify and take advantage of command injection attacks, unlike those caused by SQL injection or cross-site scripting [1]. This study aims to close this gap by presenting COMMIX, an open-source tool that automates the process of finding and taking advantage of web application command injection vulnerabilities (COMMand Injection eXploitation). To address scenarios of serial exploitation, this tool offers a wide range of functions. Additionally, commix has a high success rate in determining whether a web application is susceptible to command injection attacks. Ultimately, we have identified multiple 0-day vulnerabilities in applications during the tool review process. The work’s overall contributions include offering a thorough analysis and classification of command injection attacks; describing and evaluating our open-source tool that automates the process of identifying; and taking advantage of command injection vulnerabilities that are found on a variety of web-based applications, ranging from web servers to home services (embedded devices).
References
[1]
Ali, S., Rauf, A. and Javed, H. (2019) SQLIPAI: An Authentication Mechanism against SQL Injection. Journal of Scientific Research in Europe, 38, 604-611. https://www.academia.edu/9892425/SQLIPA_An_Authentication_Mechanism_Against_SQL_Injection
[2]
Meijer, E. and Schulte, W. (2017) Unifying Tables, Objects and Documents. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=cdcd6b67a0b7ea867bb43e5fbb36679ad936b8cc#page=149
[3]
Prokhorenko, V., Choo, K.-K.R. and Ashman H. (2016) Web Application Protection Techniques: A Tax-onomy. Journal of Network and Computer Applications, 60, 95-112. https://www.sciencedirect.com/science/article/pii/S1084804515002908 https://doi.org/10.1016/j.jnca.2015.11.017
[4]
Scott, D. and Sharp, R. (2003) Establishing and Putting into Practice Application-Level Web Security Policies. IEEE Transactions on Knowledge and Data Engineering, 15, 772-783. https://doi.org/10.1109/TKDE.2003.1208998
[5]
Aho, A.V. (1986) Compilers, Principles, Techniques, and Tools. https://archive.org/details/compilersprincip0000ahoa
[6]
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J. and Evans, D. Automatically Hardening Web Applications Using Precise Tainting. https://link.springer.com/content/pdf/10.1007/0-387-25660-1_20.pdf
[7]
Ray, D. (2013) Identifying and Averting Attacks Using Code Injection. Master’s Thesis, University of South Florida, Tampa. https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=5763&context=etd
[8]
Lawal, M.A., Sultan, A.B.M. and Shakiru, A.O. (2006) Systematic Literature Review on SQL Injection Attack. International Journal of Soft Computing, 11, 26-35. https://www.researchgate.net/publication/282377809_Systematic_literature_review_on_SQL_injection_attack
[9]
Guy-Vincent J. Injection of Commands. Univer-sity of Ottawa’s School of Information Technology and Engineering, Ontario, Cana-da.https://site.uottawa.ca/~gvj/Courses/CSI4539-OLD/lectures/CommandInjections.pdf
[10]
Qusay, H.M. and Rahman, M. Evaluation of Statistical Tools for Identi-fying Security Holes in the Source Code of Java and C/C Programs. The Uni-versity of Ontario Institute of Technology’s Department of Electrical, Computer, and Software Engineering, Oshawa, ON, Canada. https://arxiv.org/pdf/1805.09040
[11]
Jourdan, G. (2009) Securing Large Applica-tions against Command Injections. IEEE Aerospace and Electronic Systems Maga-zine, 24, 15-24. https://doi.org/10.1109/MAES.2009.5161718
[12]
AlBreiki, H.H. and Mahmoud, Q.H. (2014) Evaluation of Static Analysis Tools for Software Se-curity. 2014 10th International Conference on Innovations in Information Tech-nology (IIT), Al Ain, United Arab Emirates, 09-11 November 2014. https://doi.org/10.1109/INNOVATIONS.2014.6987569
[13]
Su, Z. and Wasser-man, G. (2006) The Essence of Command Injection Attacks in Web Applications. ACM SIGPLAN NOTICES, 41, 372-382. https://doi.org/10.1145/1111320.1111070
[14]
William, G., Orso, A. and Mano-lios, P. (2006) Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. SIGSOFT ‘06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, Portland Ore-gon, USA, 5-11 November 2006, 175-185. https://doi.org/10.1145/1181775.1181797
