Open ajinabraham opened 8 years ago
@ajinabraham thank you for your suggestion.
Does commix have api now? I need it too.
@3xp10it there is no API available (yet), but this is actually on my todo-list.
Hopefully this gets bumped up the todo-list. I develop a Burp extension for integrating sqlmap with Burp, using the sqlmapapi that comes with the tool. I intend to write an extension for commix as well if the API for commix ever gets developed.
:-(
This tool is gold and is designed with a purpose.
Like SQLMap for SQLi, I think Commix is the de facto standard tool for Command Injection. I am working on a project for automated mobile application security assessment called Mobile Security Framework (MobSF) https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
So I have a module for Web API testing named the API Fuzzer that will fuzz and uncover security vulnerabilities in the web and backend APIs of mobile apps. I think it's always right to use/integrate existing tools that work great than to reinvent the wheel.
Mobile Security Framework's API Fuzzer can generate random URL / POST Body fuzz points and I think commix works on a single URL/ Body Fuzz field. If we combine the crawling and fuzzing capabilities of MobSF's API Fuzzer and the command injection detection and exploitation of Commix, I think it would become a great product for the community.
If this sounds good to you, All I need from you is an API for commix to which I can send URLs with fuzz point and this api returns an ID and later I can poll back to an API with this ID to see if commix detected a Command Injection. Let me know about your thoughts.