Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Secure Code Warrior - Code injection
1. Code Injection
Web App Vulnerabilities
by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
2. What is it?
Code injection is a general term given to
vulnerabilities that allow a user to inject
code that gets interpreted and executed
by the application. Code injection is
limited to the capabilities of the injected
language. It can happen both on the
server and on the client side.
What causes it?
Untrusted input is used in contexts
where it can be treated as actual code.
The input is not properly validated or
encoded before being used.
What could happen?
Code injection could allow attacker to
modify parts of the application, retrieve
sensitive information, or allow privilege
escalation and command injection on
the system. Client-side injection could
lead to attacks such as cookie theft, side
defacement or phishing.
How to prevent it?
Sanitize user input through filtering,
encoding, and validation based on
whitelists. Use parameterized queries
and apply least privilege, such as a
read only user. Don’t forget the client-
side.
3. Code Injection
Understanding the security vulnerability
Mathy is a small web
application that
allows users to
perform calculations.
An attacker manipulates a calculation
and enters a string that will result in
command execution.
As a consequence, the
‘ls’ command is
executed and the
directory contents are
returned to the attacker.
The calculation is performed using
an unsafe eval() function.
Enter calculation:
5x5+2 $calc =“5x5+2";
$result = eval('return '.$calc.';');
print $p;
$calc =“system(‘ls’)";
$result = eval('return '.$calc.';');
print $p;
Enter calculation:
system(‘ls’)
4. Code Injection
Realizing the impact
Privilege escalation could lead to
command injection on the server,
making it fall into an attacker’s hands.
Malware could be installed on the application
server by abusing a code injection.
An attacker could be able to retrieve sensitive
user information, causing reputational damage.
5. Code Injection
Preventing the mistake
Never trust user input!
Code injection can occur on the client and the server side!
Apply application-wide filters or sanitization on all user-
provided input.
GET and POST parameters, Cookies and other HTTP headers.
Apply white-list input validation.
Libraries exist in different frameworks.
If possible, don’t let functions interpret user input.