jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/hacking/Code Injection.md
JMARyA 76626a468c
add vulns
2024-05-02 21:59:25 +02:00

3.8 KiB
Raw Blame History

obj wiki rev
concept https://en.wikipedia.org/wiki/Code_injection 2024-05-02

Code Injection

Code injection is a type of attack where malicious code is injected into a program or system, often exploiting vulnerabilities to execute arbitrary commands or alter the behavior of the target application. Code injection attacks can have severe consequences, including data breaches, system compromise, and unauthorized access.

Types of Code Injection

  1. SQL Injection (SQLi): Involves inserting malicious SQL queries into input fields of web applications, exploiting vulnerabilities in database interaction to retrieve, modify, or delete data.
  2. Cross-Site Scripting (XSS): Occurs when attackers inject malicious scripts, typically JavaScript, into web pages viewed by other users. XSS attacks can steal cookies, session tokens, or redirect users to malicious websites.
  3. Command Injection: Involves injecting malicious commands into system commands or shell scripts, exploiting vulnerabilities in input validation to execute arbitrary commands on the host system.
  4. LDAP Injection: Similar to SQL injection, LDAP injection involves manipulating LDAP (Lightweight Directory Access Protocol) queries to bypass authentication, retrieve sensitive information, or gain unauthorized access.
  5. Code Injection in Compiled Languages: Involves injecting malicious code into compiled programs, exploiting vulnerabilities such as buffer overflows, format string vulnerabilities, or insecure dynamic loading of libraries.

How Code Injection Works

  1. Input Validation: Attackers identify input fields or parameters vulnerable to injection attacks, such as web forms, URL parameters, or command-line arguments.
  2. Injection: Malicious code or commands are injected into the vulnerable input fields, bypassing input validation mechanisms.
  3. Execution: The injected code is executed by the target application or system within the context of its execution environment, leading to unauthorized actions or data compromise.

Impact of Code Injection

  • Data Breach: Attackers can access, modify, or delete sensitive data stored in databases or accessed by the target application.
  • Unauthorized Access: Code injection can lead to unauthorized access to systems, applications, or user accounts.
  • System Compromise: Injected code may compromise the integrity and availability of the target system, leading to system takeover or disruption of services.
  • Elevation of Privileges: Successful code injection may allow attackers to escalate privileges and gain administrative access to systems.

Prevention and Mitigation

  1. Input Validation and Sanitization: Validate and sanitize user input to prevent injection attacks, including parameterized queries for SQL injection and proper encoding for XSS prevention.
  2. Parameterized Queries: Use parameterized queries or prepared statements in database interactions to prevent SQL injection vulnerabilities.
  3. Least Privilege: Restrict the privileges of the application or user accounts to minimize the impact of successful injection attacks.
  4. Input Filtering: Filter and restrict input to allow only expected characters and patterns, rejecting or escaping any potentially malicious input.
  5. Content Security Policy (CSP): Implement CSP headers to mitigate XSS attacks by controlling the sources from which content can be loaded.
  6. Static and Dynamic Analysis: Employ static code analysis tools and dynamic application security testing (DAST) tools to identify and remediate injection vulnerabilities.