TITLE:
Defence against Command Injection Attacks in a Distributed Network Environment
AUTHORS:
Oluwatobi Akinmerese, Samuel Fasanya, Daniel Aderotoye, Ngozichukwuka Adingupu, Evelyn Ezeoke, Rukayat Muritala, Oyindamola Lawal, Blessing Akingbade, Chiamaka Ifekandu
KEYWORDS:
SQL Injection, Shell Command on Unix-Based Systems, Operating System, Input Validation, Web Vulnerability, COMMIX
JOURNAL NAME:
Open Access Library Journal,
Vol.11 No.5,
May
31,
2024
ABSTRACT: Regardless of the programming language used to create the application or the operating system on which it runs, command injection is common in all applications. Command injection attacks can result in a variety of consequences, such as compromised data confidentiality and integrity or unapproved remote access to the system hosting the susceptible application. The recently found Shellshock flaw is a perfect example of a real, notorious command injection vulnerability that demonstrates the dangers of this kind of code injection. The research community has not paid much attention to the type of code injection, despite the fact that command injection assaults are common and have a significant impact. To the best of our knowledge, no specific software program exists that can automatically identify and take advantage of command injection attacks, unlike those caused by SQL injection or cross-site scripting [1]. This study aims to close this gap by presenting COMMIX, an open-source tool that automates the process of finding and taking advantage of web application command injection vulnerabilities (COMMand Injection eXploitation). To address scenarios of serial exploitation, this tool offers a wide range of functions. Additionally, commix has a high success rate in determining whether a web application is susceptible to command injection attacks. Ultimately, we have identified multiple 0-day vulnerabilities in applications during the tool review process. The work’s overall contributions include offering a thorough analysis and classification of command injection attacks; describing and evaluating our open-source tool that automates the process of identifying; and taking advantage of command injection vulnerabilities that are found on a variety of web-based applications, ranging from web servers to home services (embedded devices).