This article appears to contain a large number of buzzwords. (September 2024) |
Code injection is a class of computer security exploit in which vulnerable computer programs or system processes fail to correctly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be executed. An attacker utilizing this method thereby "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.
Code injection vulnerabilities occur when an application sends untrusted data to an interpreter, which then executes the injected text as code. Injection flaws are often found in services like SQL databases, XML parsers, operating system commands, SMTP headers, and other program arguments. Injection flaws are more straightforward to discover when examining source code than when testing.[1] Static analysis and fuzzers can help find injection flaws.[2]
There are numerous types of code injection, but most are errors in interpretation since they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors like these can exist outside of computer science, such as the comedy routine "Who's on First?". Code injection techniques are used in hacking to gain information, as well as in privilege escalation or to gain access to a system. Code injection can be used maliciously for many purposes, including:
Code injections that target the Internet of Things could also lead to severe consequences such as data breaches and service disruption.[3]
5.66% of all vulnerabilities reported in 2008 were classified as code injection, the highest percentage on record. In 2015, this figure decreased to 0.77%.[4]