Code Injection
What is Code Injection?
Code InjectionA class of vulnerabilities where attacker-supplied data is interpreted and executed as code by an application, leading to arbitrary execution in its context.
Code injection is the broad family of flaws in which untrusted input is incorporated into something the application later treats as program code, configuration, or markup, causing the runtime to execute it. Concrete instances include eval-based injection in JavaScript and Python, server-side template injection, expression-language injection (OGNL, SpEL), insecure deserialization that triggers gadget chains, and dynamic class loading from user data. Successful exploitation typically yields remote code execution under the application's identity, which is often a stepping stone to full host or cluster compromise. Defenses include never building code from input, using parameterized APIs, locking down dynamic features, and applying least-privilege runtime and sandboxing.
● Examples
- 01
eval(request.body.expr) running attacker-controlled JavaScript in a Node service.
- 02
Java application calling ScriptEngine.eval on a user-supplied script.
● Frequently asked questions
What is Code Injection?
A class of vulnerabilities where attacker-supplied data is interpreted and executed as code by an application, leading to arbitrary execution in its context. It belongs to the Attacks & Threats category of cybersecurity.
What does Code Injection mean?
A class of vulnerabilities where attacker-supplied data is interpreted and executed as code by an application, leading to arbitrary execution in its context.
How does Code Injection work?
Code injection is the broad family of flaws in which untrusted input is incorporated into something the application later treats as program code, configuration, or markup, causing the runtime to execute it. Concrete instances include eval-based injection in JavaScript and Python, server-side template injection, expression-language injection (OGNL, SpEL), insecure deserialization that triggers gadget chains, and dynamic class loading from user data. Successful exploitation typically yields remote code execution under the application's identity, which is often a stepping stone to full host or cluster compromise. Defenses include never building code from input, using parameterized APIs, locking down dynamic features, and applying least-privilege runtime and sandboxing.
How do you defend against Code Injection?
Defences for Code Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Code Injection?
Common alternative names include: Remote code execution, Arbitrary code execution.
● Related terms
- attacks№ 392
Eval Injection
A specific code-injection flaw caused by passing untrusted input to dynamic-evaluation primitives such as JavaScript eval() or Python eval/exec.
- attacks№ 202
Command Injection
An attack where user input is passed unsanitized to an operating-system shell, causing the application to execute attacker-supplied commands.
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.
- attacks№ 1009
Server-Side Template Injection
An attack that injects template-engine syntax into untrusted input, leading to code execution on the server when the template is rendered.
- vulnerabilities№ 539
Insecure Deserialization
A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.
● See also
- № 808PDF Exploit