Code Injection

Code injection can used by an attacker to introduce malicious code into a vulnerable computer program and change the course of execution.

All software takes some sort of input -- a secure program should treat all input from an external source as "untrusted" until proven otherwise. Code injection vulnerabilities exist when an attacker can submit executable input to a program and trick the software into running that input. This gives the attacker a channel by which they can circumvent any security restrictions put in place by the program's author.

Some common types of code injection are:

The consequences of a successful code injection are generally disastrous for the application author. The risks can be mitigated by ensuring secure treatment of untrusted input, and by practicing defense in depth to limit the privileges of the running application.