Code injection in Java

From OWASP
Revision as of 00:30, 15 September 2009 by Neil Bergman (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Status

Review

Overview

Code injection simply involves injecting malicious code into an application, which will be executed in the context of the application. Java provides a scripting API that allows code written in scripting languages to access and control Java objects. The scripting API comes with built-in support for Javascript using the Mozilla Rhino engine, but other language engines such as JRuby and Jython can be used as well. If an attacker can control which script file is loaded or part of the script code that is evaluated, then malicious code can be executed.

Examples

Example 1

The code below allows a user to inject arbitrary Javascript into Java's script engine.

import javax.script.*;

public class Example1 {
	public static void main(String[] args) {
		try {
			ScriptEngineManager manager = new ScriptEngineManager();
			ScriptEngine engine = manager.getEngineByName("JavaScript");
			System.out.println(args[0]);
			engine.eval("print('"+ args[0] + "')");
		} catch(Exception e) {
			e.printStackTrace();
		}
	}
}

In this case, the attacker decides to inject code that creates a file on the file system.

hallo'); var fImport = new JavaImporter(java.io.File); with(fImport) { var f = new File('new'); f.createNewFile(); } //

There are two built-in functions that allow Java classes and packages to be brought into the scripting environment: importPacket and importClass. There is also a class, called JavaImporter, which allows multiple Java packages to be brought into the script code and then can be used to instantiate Java classes.