Code Injection

What is code injection?

It is a term given to vulnerabilities in the application that allow a user to inject code that gets interpreted and executed by the application. Code injection is limited to the capabilities of the injected language. It can happen both on the server and on the client-side.

What causes code injection?

These vulnerabilities occur when untrusted input is used in a context where it can be treated as actual code. The input is not properly validated or encoded before being used.

Why is Code Injection Dangerous?

It could allow privilege escalation and command injection on the system. This could lead the server to fall into a hacker’s hands. The hacker could modify parts of the application and retrieve sensitive information. Causing reputational damage. Malware could be installed on the application server by using code injection leading to attacks such as cookie theft, site defacement or phishing.

How to prevent Code Injection:

It could allow privilege escalation and command injection on the system. This could lead the server to fall into a hacker’s hands. The hacker could modify parts of the application and retrieve sensitive information. Causing reputational damage. Malware could be installed on the application server by using code injection leading to attacks such as cookie theft, site defacement, or phishing.

1. Developers should never trust user input.

2. Use parameterized queries and apply the least privilege, such as a read-only user on both the client and the server-side.

3. Apply application-wide filters or sanitization on all user-provided input through filtering, encoding and whitelist validation.

4. Don’t let functions execute or interpret user input directly.