A new tool (Commix) from a Greek developer is available to anyone who wants to test the better safety of the Web applications of its websites, and to reveal potential vulnerabilities that could be exploited by injection fraudsters.
The new tool, as we said earlier, is called Commix (abbreviation of [comm] and [i] njection e [x]ploiter, which aims to find errorτα ή τρωτά σημεία που σχετίζονται με injection attacks. In other words, it is a tool that tries to use several variations of complex attack vectors to "detect" and then "exploit" command injection vulnerabilities.
Commix is written in Python, that is, it has a simple interface and can be used by web developers, penetration testers και από ερευνητές ασφάλειας για να δοκιμάσουν την ασφάλεια των web εφαρμογών τους. Το πρόγραμμα προορίζεται μόνο για ελέγχους ασφαλείας και ο κατασκευαστής του προγράμματος δεν επιτρέπει επ'ουδενί την χρήση του για κακόβουλους σκοπούς.
A successful injection attack can lead to the execution of arbitrary commands in a system that is affected by a vulnerable application. It can happen if the application does not provide sufficient input validation and passes long user commands through forms, cookies, or HTTP headers.
Using this tool, it's very easy to find and exploit a vulnerable injection command, says the developer who built it, Anastasios Stasinopoulos, in the explanatory page at GitHub.
However, though Commix is intended for testing and testing activity, it can also be used by a malicious user, just like any other security tool. Stasinopoulos warns of this and says that "you can only use it once you have been given complete consent".
The capabilities of Commix include a range of options to determine which parameters can be injected. To work the program you must have installed it Python, version 2.6.x or 2.7.x version.
At by clicking here GitHub where you will download the program, you will also find instructions for its installation and operation.
In order to become familiar with Commix, Stasinopoulos provides you with a number of examples. One of these is one page that is vulnerable to PHP / MySQL Web App and you can test your skills, tools, and break it as much as you want after you have the full legal license to do it ..
