Add direct command Injection vulnerability (CWE-77, OWASP API 8)

[JBAhire]

Is your feature request related to a problem? Please describe. Currently, we can use crAPI to demonstrate indirect command injection but we also want to add capabilities to demonstrate direct command injection.

Describe the solution you'd like @piyushroshan , can you guide us here for a solution?

[afreen23]

Hello, I am working on a solution for this,

[afreen23]

Hello @piyushroshan @JBAhire , Can we use the api /identity/api/v2/user/videos/convert_video for exposing this vulnerability since it requires to run conversion command in bash ?

https://github.com/OWASP/crAPI/blob/ea6625d2dd9cf6b78435da2aabab791169bdd8bd/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java#L241-L242

Though I am not sure what command is passed there ⬆️ . Only params are being passed now: https://github.com/OWASP/crAPI/blob/ea6625d2dd9cf6b78435da2aabab791169bdd8bd/services/identity/src/main/java/com/crapi/entity/ProfileVideo.java#L31

While running on dev mode it kept saying "Failed to convert" since x-forwarded-host headers were missing. https://github.com/OWASP/crAPI/blob/ea6625d2dd9cf6b78435da2aabab791169bdd8bd/services/identity/src/main/java/com/crapi/service/Impl/ProfileServiceImpl.java#L221-L248

I am looking into this but if you have any pointers or other suggestions please guide. Thanks!

[piyushroshan]

That's the indirect command injection in crAPI. We can for sure enhance in that direction. Since this is get request maybe provide a query param as conversion param in the get request that can invoke the same pipeline