Code Injection

Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. For instance, code injection is used by some computer worms to propagate.

Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interprated by the application. Such an attack may be be performed by adding strings of characters into a cookie or argument values in the URI. This attack makes use of lack of accurate input/output data validation, for example:

 . class of allowed characters (standard regular expressions classes or custom)
 . data format
 . amount of expected data
 . for numerical input, its values

 Code Injection and Command Injection are measures used to achive simmilar goals. The concept 
 of Code Injection is to add malicious code into an application, which then will be executed.
 Added code is a part of the application itself. It's not external code which is executed, like 
 it would be in Command Injection.

Example 1

When a programmer uses the eval() function and operates on the data inside it, and these data may be altered by the attacker, then it's only one step closer to Code Injection. The example below shows how to use the eval() function:

    $myvar = "varname";                                                                     
    $x = $_GET['arg'];
    eval("\$myvar = \$x;");

The code above which smells like a rose may be used to perform a Code Injection attack. Example: passing in the URI /index.php?arg=1; phpinfo() While exploiting bugs like these, the attacker doesn't have to limit himself only to a Code Injection attack. The attacker may tempt himself to use Command Injection technique, for example.

1
        /index.pho?arg=1; system('id')
Example 2

    <?php                                                                                   
    $varerror = system('cat '.$_GET['pageid'], $valoretorno);                           
    echo $varerror;
    ?>

by using that kind of code we can attak as show in example number 2 using live http headers or using method get you can make this kind of petition:

1
        vulnerable.php?pageid=loquesea;ls
ls is the command we are executing but we can use any other commands of the server.

Preventing code injection

    To prevent code injection problems, utilize secure input and output handling, such as:
    . Input validation
    . Selective input inclusion/exclusion
    . Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars()
      function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() 
      function (completely removes HTML tags) for safe output of text in HTML, and 
      mysql_real_escape_string() to isolate data which will be included in an SQL request,
      to protect against SQL Injection.
    . Input encoding
    . Output encoding
    . Other coding practices which are not prone to code injection vulnerabilities, such as 
      "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound
      variables" or "bound values").
    . Modular shell disassociation from kernel

    The solutions listed above deal primarily with web-based injection of HTML or script code 
    into a server-side application. Other approaches need to be taken however, when you are 
    dealing with injection of user code on the user machine, resulting in privilege elevation
    attacks.