Difference between revisions of "Code Injection"

From OWASP
Jump to: navigation, search
(Examples)
Line 8: Line 8:
  
 
==Examples ==
 
==Examples ==
 +
 +
If server side scripting is enabled in some address (such as guestbook , where user can insert data)
 +
then the SSI attack can be done.
 +
 +
 +
Such as :
 +
 +
<!--#exec cmd="ls"-->
 +
 +
will show all the files in current directory is the server is on a UNIX/LINUX machine.
 +
 +
 +
 +
for Windows platform :          <!--#exec cmd="dir"-->
 +
 +
 +
This can be used for destructive purpose also , as the commands are executed in root/admin previlage.
 +
 +
Such as  <!--#exec cmd="format c:"-->
  
 
==Related Threats==
 
==Related Threats==

Revision as of 03:40, 24 July 2006

This is an Attack. To view all attacks, please see the Attack Category page.


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Description

This article should cover attacks based on injecting code into a running application.

Examples

If server side scripting is enabled in some address (such as guestbook , where user can insert data) then the SSI attack can be done.


Such as :


will show all the files in current directory is the server is on a UNIX/LINUX machine.


for Windows platform :


This can be used for destructive purpose also , as the commands are executed in root/admin previlage.

Such as

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures