Code injection

Code injection is a class of computer security exploit in which vulnerable computer programs or system processes fail to correctly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be executed. An attacker utilizing this method thereby "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.

Code injection vulnerabilities occur when an application sends untrusted data to an interpreter, which then executes the injected text as code. Injection flaws are often found in services like SQL databases, XML parsers, operating system commands, SMTP headers, and other program arguments. Injection flaws are more straightforward to discover when examining source code than when testing.^[1] Static analysis and fuzzers can help find injection flaws.^[2]

There are numerous types of code injection, but most are errors in interpretation since they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors like these can exist outside of computer science, such as the comedy routine "Who's on First?". Code injection techniques are used in hacking to gain information, as well as in privilege escalation or to gain access to a system. Code injection can be used maliciously for many purposes, including:

Arbitrarily modifying values in a database through SQL injection. The impact of this can range from website defacement to serious compromise of sensitive data.
Installing malware or executing malevolent code on a server by injecting server scripting code (such as PHP).
Privilege escalation to either superuser permissions on UNIX by exploiting shell injection vulnerabilities in a setuid binary, or to Local System privileges on Microsoft Windows by exploiting a service within Windows.
Attacking web users with HTML or XSS injection.

Code injections that target the Internet of Things could also lead to severe consequences such as data breaches and service disruption.^[3]

5.66% of all vulnerabilities reported in 2008 were classified as code injection, the highest percentage on record. In 2015, this figure decreased to 0.77%.^[4]

^ "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.
^ "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Archived from the original on 28 January 2016. Retrieved 19 December 2013.
^ Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.
^ "NVD - Statistics Search". web.nvd.nist.gov. Archived from the original on 15 December 2023. Retrieved 9 December 2016.

[1] "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.

[OWASP10_A1-2] "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Archived from the original on 28 January 2016. Retrieved 19 December 2013.

[3] Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.

[4] "NVD - Statistics Search". web.nvd.nist.gov. Archived from the original on 15 December 2023. Retrieved 9 December 2016.

[1]

[2]

[3]

[4]