This article appears to contain a large number of buzzwords. (September 2024) |
Code Injection is a class of computer security exploits in which vulnerable computer programs or system processes fail to properly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be executed. An attacker using this method "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.
Code injection vulnerabilities occur when an application sends unsanitised malicious data to an interpreter, which then executes the injected text as code. Injection flaws are often found in services like Structured Query Language (SQL) databases, Extensible Markup Language (XML) parsers, operating system commands, Simple Mail Transfer Protocol (SMTP) headers, and other program arguments. Injection flaws are more straightforward to discover when examining source code than when testing.[1] Static analysis and fuzzers can help find injection flaws.[2]
There are numerous types of code injection, but most are errors in interpretation since they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors like these can exist outside of computer science, such as the comedy routine "Who's on First?". Code injection techniques are used in hacking to gain information, as well as in privilege escalation or to gain access to a system. Code injection can be used maliciously for many purposes, including:
Code injections that target the Internet of Things could also lead to severe consequences such as data breaches and service disruption.[3]
5.66% of all vulnerabilities reported in 2008 were classified as code injection, the highest percentage on record. In 2015, this figure decreased to 0.77%.[4]