Feature Request: API

[ajinabraham]

Like SQLMap for SQLi, I think Commix is the de facto standard tool for Command Injection. I am working on a project for automated mobile application security assessment called Mobile Security Framework (MobSF) https://github.com/ajinabraham/Mobile-Security-Framework-MobSF

So I have a module for Web API testing named the API Fuzzer that will fuzz and uncover security vulnerabilities in the web and backend APIs of mobile apps. I think it's always right to use/integrate existing tools that work great than to reinvent the wheel.

Mobile Security Framework's API Fuzzer can generate random URL / POST Body fuzz points and I think commix works on a single URL/ Body Fuzz field. If we combine the crawling and fuzzing capabilities of MobSF's API Fuzzer and the command injection detection and exploitation of Commix, I think it would become a great product for the community.

If this sounds good to you, All I need from you is an API for commix to which I can send URLs with fuzz point and this api returns an ID and later I can poll back to an API with this ID to see if commix detected a Command Injection. Let me know about your thoughts.

[stasinopoulos]

@ajinabraham thank you for your suggestion.

[3xp10it]

Does commix have api now? I need it too.

[stasinopoulos]

@3xp10it there is no API available (yet), but this is actually on my todo-list.

[codewatchorg]

Hopefully this gets bumped up the todo-list. I develop a Burp extension for integrating sqlmap with Burp, using the sqlmapapi that comes with the tool. I intend to write an extension for commix as well if the API for commix ever gets developed.

[q2dg]

:-(

[Anthonymcqueen21]

This tool is gold and is designed with a purpose.