Despite the prevalence and the high impact of command injection attacks, little attention has been given by the research community to this type of code injections. Although there are many software tools to detect and exploit other types of code injections, such as SQL injections or Cross Site Scripting, there is no dedicated and specialized software that detects and exploits, automatically, command injection vulnerabilities. This paper proposes an open source tool that automates the process of detecting and exploiting command injection aws on web applications, named as COMMand Injection eXploiter (Commix). We present and elaborate on the software architecture and detection engine of Commix as well its extra functionalities that greatly facilitate penetration testers and security researchers in the detection and exploitation of command injection vulnerabilities. Moreover, based on the knowledge and the practical experience gained from the development of Commix, we propose and analyze new identied techniques that perform side-channel exploitation for command injections allowing an attacker to indirectly deduce the output of the executed command (i.e., also known as blind command injections). * stasinopoulos@unipi.gr † dadoyan@unipi.gr ‡ xenakis@unipi.gr 1 Furthermore, we evaluate the detection capabilities of Commix, by performing experiments against various applications. The experimental results show that Commix presents high detection accuracy, while at the same time false positives are eliminated. Finally and more importantly, we analyze several 0-day command injection vulnerabilities that Commix detected in real-world applications. Despite its short release time, Commix has been embraced by the security community and comes preinstalled in many security-oriented Operating Systems (OS) including the well-known Kali Linux.Keywords:Command injection · code injection · exploitation · software tool · web security 1 IntroductionCode injection, is a general term for attacks that consist of injecting code, which is consequently executed by a vulnerable application. This type of attacks is considered as a major security threat which in fact, is classied as No. 1 on the 2013 OWASP top ten web security risks [1]. A code injection vulnerability, exploits poor handling of untrusted data and allows an attacker to insert arbitrary code (or commands) into the application, resulting in an unplanned execution behavior.There are many types of code injections attacks including command injections, SQL In this paper, we will exclusively deal with command injection attacks and we will refer to them as "command injections". They are also named in the literature as "shell command injections" or "Operating system command injections", because this type of attack, occurs when the application invokes the OS shell (shell commands on Unix based Systems, command prompt shell on Windows).Command injections may occur in applications that accept user provided input and execute OS commands using as parameters the received input. They have...