What is code injection?
Code injection is the malicious injection or introduction of code into an application. The introduced or injected code is capable of compromising database integrity and / or compromising data protection properties, security and even data correctness. It can also steal data and / or bypass access and authentication controls. Code injection attacks can affect applications that depend on user input to execute.
There are four types of code injection attacks:
- SQL injection
- script injection
- Shell injection
- Dynamic evaluation
SQL injection is an attack method that is used to falsify a legitimate database query in order to provide fake data. Script injection is an attack in which the attacker provides program code for the server side of the script engine. Shell injection attacks, also known as operating system command attacks, manipulate applications that are used to formulate commands for the operating system. In a dynamic evaluation attack, arbitrary code replaces standard input, causing the application to run the first. The difference between code injection and command injection, another form of attack, is the limitation of the functionality of the injected code to the malicious user.
Code injection vulnerabilities range from easy to difficult to find. Many solutions have been developed to prevent this type of code injection attack for both the application and the architecture. Some examples include input validation, parameterization, setting privileges for various actions, adding an additional level of protection, and others.