Code Injection

Code injection can used by an attacker to introduce malicious code into a vulnerable computer program and change the course of execution.

All software takes some sort of input -- a secure program should treat all input from an external source as "untrusted" until proven otherwise. Code injection vulnerabilities exist when an attacker can submit executable input to a program and trick the software into running that input. This gives the attacker a channel by which they can circumvent any security restrictions put in place by the program's author.

Some common types of code injection are:

• SQL Injection. Unsafe treatment of HTTP parameters when constructing queries on a website can permit an attacker to run arbitrary SQL statements on a vulnerable application.
• Cross site scripting. Unsafe treatment of HTTP parameters can allow injection of malicious JavaScript into a web application.
• Command execution. Unsafe treatment of HTTP parameters can allow an attacker to run run arbitrary shell commands on the web server.

The consequences of a successful code injection are generally disastrous for the application author. The risks can be mitigated by ensuring secure treatment of untrusted input, and by practicing defense in depth to limit the privileges of the running application.