Code Injection is the general name for a lot of types of attacks, which depends on inserting of the code, which will be interprated by the application. Such an attack maybe be performed e.g. by adding string of characters into cookie or argument values in the URI. This attack make use of lack of accurate input/output data validation i.e.:
- class of allowed charachters (standard regular expressions classes or custom)
- data format
- amount of expected data
- for numerical input its values
The difference between Code Injection and Command Injection are measures used to achive simmilar goals. The concept of Code Injection is to add malicious code into application, which then will be executed. Added code is a part of the application itself. It's not an external code, which is executed like it would be in Command Injection.
If site uses include() fucntion, which operates on variables sent with GET method, and there is no validation on them performed, then the attacker may try to execute different code than author of the code had on mind.
The URL below should display information about how to contact with the testsite company.
Below the altered code will include another code from http://evilsite.com/evilcode.php. The script "evilcode.php" may contain e.g. phpinfo() function, which is usefull for gaining information about configuration of the environment in which the web service runs.
One condition must be satisfied for this example to be successful, namely the web server configuration must allow for including files in the "http://" notation.
When programmer uses eval() function and operates on data inside it, and these data may be altered by the attacker, then it's only one step closer to Code Injection.
Mentioned below example shows how to use the eval() function:
$myvar = "varname"; $x = $_GET['arg']; eval("\$myvar = \$x;");
The code above which smells like a rose may be used to perform a Code Injection attack.
E.g. passing in the URI /index.php?arg=1; phpinfo()
Exploiting bugs like these the attacker doesn't have to limit himself only to Code Injection attack. The attacker may tempt himself to use Command Injection technique e.g.
- validation of the format / expected classes of charachetrs / input/output data size