Code injection

Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.

Code injection vulnerabilities occur when an application sends untrusted data to an interpreter, which then executes the injected text as code. Injection flaws are often found in services like Structured Query Language (SQL) databases, Extensible Markup Language (XML) parsers, operating system commands, Simple Mail Transfer Protocol (SMTP) headers, and other program arguments. Injection flaws can be identified through source code examination,^[1] Static analysis, or dynamic testing methods such as fuzzing.^[2]

There are numerous types of code injection vulnerabilities, but most are errors in interpretation—they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors can exist outside of computer science, such as the comedy routine "Who's on First?". Code injection can be used maliciously for many purposes, including:

Arbitrarily modifying values in a database through SQL injection; the impact of this can range from website defacement to serious compromise of sensitive data. For more information, see Arbitrary code execution.
Installing malware or executing malevolent code on a server by injecting server scripting code (such as PHP).
Privilege escalation to either superuser permissions on UNIX by exploiting shell injection vulnerabilities in a binary file or to Local System privileges on Microsoft Windows by exploiting a service within Windows.
Attacking web users with Hyper Text Markup Language (HTML) or Cross-Site Scripting (XSS) injection.

Code injections that target the Internet of Things could also lead to severe consequences such as data breaches and service disruption.^[3]

Code injections can occur on any type of program running with an interpreter. Doing this is trivial to most, and one of the primary reasons why server software is kept away from users. An example of how you can see code injection first-hand is to use your browser's developer tools.

Code injection vulnerabilities are recorded by the National Institute of Standards and Technology (NIST) in the National Vulnerability Database (NVD) as CWE-94. Code injection peaked in 2008 at 5.66% as a percentage of all recorded vulnerabilities.^[4]

^ "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.
^ "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Archived from the original on 28 January 2016. Retrieved 19 December 2013.
^ Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.
^ "NVD - Statistics Search". web.nvd.nist.gov. Archived from the original on 15 December 2023. Retrieved 9 December 2016.

[1] "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.

[OWASP10_A1-2] "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Archived from the original on 28 January 2016. Retrieved 19 December 2013.

[3] Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.

[4] "NVD - Statistics Search". web.nvd.nist.gov. Archived from the original on 15 December 2023. Retrieved 9 December 2016.

[1]

[2]

[3]

[4]

Code injection

From Wikipedia, the free encyclopedia · View on Wikipedia