Introduction
A recent client test on ZAST.AI yielded a notable case regarding its ability to assess command injection vulnerabilities, including sophisticated variants. With their permission, we would like to share the findings in this case study.
Vulnerability Assessed by ZAST.AI - Command Injection
Let’s see the 1st vulnerability report:
The taint source and taint sink are identified, along with a POC that shows a malicious payload executing a shell command.
To test ZAST.AI’s abilities, they chose to add Base64 encoding instead of fully fixing the vulnerability. They then resubmitted the updated version for evaluation. Let’s see what happens next.
1st Patch - Base64 Encoding
See below for the second report:
The taint source remained the same in both reports, indicating that the vulnerability was unchanged. In the taint sink, it shows that Base64 encoding is applied.
The POC indicates a request with an encoded shell command that bypasses superficial checks. Despite the encoding, the application processes the input without proper validation, allowing the command to execute.
The results caught their interest, and they were a bit amazed by ZAST.AI’s dynamic assessment capabilities. They decided to try another method of obscurity to make detection nearly impossible and then ran the assessment again.
2nd Patch - Prefix Matching
Let’s see how ZAST.AI works this time:
The taint source stays the same, so the vulnerability wasn't fixed. In the taint sink, the code implemented a prefix validation for the Base64-decoded command, allowing execution only if the command starts with "secret." It reduces command injection risks by validating the input and using .substring(6) to remove the prefix, ensuring only specific commands execute.
Again, the POC validate the command injection vulnerability by sending a Base64-encoded shell command with a prefix match to a specified URL. By combining the prefix "secret" with the command, it tests whether the server is susceptible to remote code execution. Additionally, it uses HTTP headers to mimic legitimate requests, revealing potential security weaknesses in the application's input handling.
The client reviewed the results and discussed the findings with us:
“We see that ZAST.AI’s analysis worked effectively to locate the issue.”
“Yes, it clearly processed our obfuscated inputs and still flagged vulnerability.”
“We noticed its method is quite distinct from conventional testing.”
“From the results, that distinct method seems to find issues that standard approaches can overlook.”
“It certainly points to a more modern way of handling vulnerability detection.”
It was encouraging to receive this feedback from our client, which demonstrates the system functioning as intended. We also took the opportunity to provide some suggestions for fixing the vulnerability.
ZAST.AI’s Edge in Vulnerability Assessment
From this case, we can see that after two patches, the vulnerability has become much harder to spot. Yet, ZAST.AI was still able to uncover and confirm it using its advanced large language model. Like our client said, ZAST.AI truly stands out from traditional methods like black-box and white-box testing.
While black-box testing examines the system from an external perspective and relies on input/output, it often suffers from limited coverage, as it only tests predefined scenarios based on expected inputs. This approach can overlook vulnerabilities that occur under unexpected conditions or rare input combinations, making it less effective in identifying complex security flaws. In contrast, white-box testing inspects the internal workings of the code, providing a more thorough analysis but requiring extensive knowledge of the system architecture.
ZAST.AI, on the other hand, analyzes taint sinks to locate taint sources and then leverages its LLM to generate POC exploits and verify their correctness.
Visit ZAST.AI to explore its capabilities for your own systems. We welcome your vulnerability case studies and remediation insights. Also, stay tuned for our upcoming releases, including Python language support and IDE extensions.