Skip to content

Code Injection

Code Injection

Description

Code Injection refers to a category of attack methods involving the insertion of code that the application subsequently evaluates. This form of attack takes advantage of poor handling of untrusted data. Such vulnerabilities often arise from insufficient validation of input/output user supplied data.

Code Injection sets itself apart from Command Injection by the fact that an attacker's capabilities are constrained solely by the functionalities inherent in the target programming language. For instance, if an attacker successfully injects PHP code into an application and executes it, their actions are restricted by the capabilities of PHP. On the other hand, Command Injection involves exploiting pre-existing code to execute system commands.

print "Enter math equation: "
user_input = gets.chomp

begin
  result = eval(user_input)
  puts "Result: #{result}"
rescue StandardError => e
  puts "Error: #{e.message}"
end

<?php
$userInput = $_POST['expression']; 

$result = null;
try {
    eval("\$result = $userInput;");
} catch (ParseError $e) {
    echo "Error: Invalid Expression";
}

echo "Result: " . $result;
?>

try:
    user_input = input("Enter a math expression: ")
    result = eval(user_input)
    print("Result:", result)
except Exception as e:
    print("Error:", e)

Recommendation

To mitigate code injection vulnerabilities, here are some possible mitigations:

  • Avoid evaluating user input: The best way to protect against code injection is to not evaluate user input at all.

  • Input validation and sanitization: If evaluating user input is necessary, it should be sanitized first to remove special characters that may allow for code execution like parentheses for example.

  • Using a sandbox environment: One way to mitigate the risk of code injection is by evaluating user input in an isolated and restricted sandbox environment.

  • Least Privilege Principle: Although not specifically related to code injection, least privilege principle can help reduce the impact of vulnerabilities by reducing the privilege an attacker might obtain if they manage to successfully compromise the system.

print "Enter math equation: "
user_input = gets.chomp

# Sanitize user input
sanitized_input = user_input.gsub(/[^0-9+\-\/\*]/, '')

begin
result = eval(sanitized_input)
puts "Result: #{result}"
rescue StandardError => e
puts "Error: #{e.message}"
end

<?php
$userInput = $_POST['expression']; 

// Sanitize user input
$sanitizedInput = preg_replace("/[^0-9+\-\/\*]/", "", $userInput);

$result = null;
try {
    $result = eval("return $sanitizedInput;");
} catch (ParseError $e) {
    echo "Error: Invalid Expression";
}

echo "Result: " . $result;
?>

import re

try:
    user_input = input("Enter a Python expression: ")

    # Sanitize user input
    sanitized_input = re.sub(r'[^0-9+\-*/]', '', user_input)

    result = eval(sanitized_input)
    print("Result:", result)
except Exception as e:
    print("Error:", e)

Standards

  • CWE_TOP_25:
    • CWE_20
    • CWE_94
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3