Code injection

Code injection is a class of computer security exploits in which a vulnerable computer program is tricked into misinterpreting external data as part of its code. An attacker thereby "injects" code into the program and changes the course of its execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Code injection vulnerabilities occur when an application sends untrusted data to an interpreter. Injection flaws are most often found in SQL, LDAP, XPath, NoSQL queries, OS commands, XML parsers, SMTP headers, program arguments, etc. Injection flaws tend to be easier to discover when examining source code than via testing.^[1] Scanners and fuzzers can help find injection flaws.^[2]

Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

Certain types of code injection are errors in interpretation, giving special meaning to user input. Similar interpretation errors exist outside the world of computer science such as the comedy routine "Who's on First?". In some types of code injection, there is a failure to distinguish user input from system commands.

Code injection techniques are popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Code injection can be used malevolently for many purposes, including:

Arbitrarily modifying values in a database through SQL injection. The impact of this can range from website defacement to serious compromise of sensitive data.
Installing malware or executing malevolent code on a server by injecting server scripting code (such as PHP or ASP).
Privilege escalation to root permissions by exploiting shell injection vulnerabilities in a setuid root binary on UNIX, or Local System by exploiting a service on Microsoft Windows.
Attacking web users with HTML/script injection (Cross-site scripting).

Code injection attacks in Internet of Things could also lead to severe consequences like data breaches and service disruption.^[3]

In 2008, 5.66% of all vulnerabilities reported that year were classified as code injection, the highest year on record. In 2015, this had decreased to 0.77%.^[4]

^ "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.
^ "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Retrieved 19 December 2013.
^ Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.
^ "NVD - Statistics Search". web.nvd.nist.gov. Retrieved 9 December 2016.

[1] "Top 10 Web Application Security Vulnerabilities". Penn Computing. University of Pennsylvania. Archived from the original on 24 February 2018. Retrieved 10 December 2016.

[OWASP10_A1-2] "OWASP Top 10 2013 A1: Injection Flaws". OWASP. Retrieved 19 December 2013.

[3] Noman, Haitham Ameen; Abu-Sharkh, Osama M. F. (January 2023). "Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations". Sensors. 23 (13): 6067. Bibcode:2023Senso..23.6067N. doi:10.3390/s23136067. ISSN 1424-8220. PMC 10346793. PMID 37447915.

[4] "NVD - Statistics Search". web.nvd.nist.gov. Retrieved 9 December 2016.

[1]

[2]

[3]

[4]