Code Injection

By
Manieendar Mohan
Published on
29 Jun 2023
1 min read
Vulnerability

Code injection is a vulnerability caused by executing invalid information. An attacker can introduce code into the vulnerable computer program through injection. The injected code can change the course of execution. A successful code injection can be disastrous for the server. The server that fails to properly validate user data can result in Code Injection vulnerability. Attackers can inject code into a vulnerable computer program and change the course of execution. If an attacker can inject code into an application and if that application executes the code, this vulnerability can cause code injection.

Example

In a web application using PHP, use eval() function to pass it untrusted data.

        //the URL to archive the page is https://www.example.beaglesecurity.com/index.php?arg=1
        $myvar = "varname";
        $x = $_GET['arg'];
        eval("\$myvar = \$x;");

    

In the above code, an attacker can easily get the phpinfo() function by requesting a URL.

https://www.example.beaglesecurity.com/index.php?arg=1; phpinfo()

The above link will return the version of PHP in that application uses. Also, the attacker can run the system commands.

https://www.example.beaglesecurity.com/index.php?arg=1; system(‘id’)

The id command will reveal all the information about the current user. An attacker can also specify the name of another user to get information about other users.

Impact

Using this vulnerability, an attacker can:-

  • Steal sensitive data
  • perform data corruption
  • execute Denial of access attacks
  • successfully take over the host

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use APIs that are secure against all input characters.
  • Enforce a language separation using a static type system.
  • Use proper Input validations.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.