Code injection is a technique that a threat actor uses to input or inject malicious code which takes advantage of a validation flaw in the software. Code injection is also known as remote code execution (RCE). The malicious code is usually “injected” in the same language as the targeted application and then executed by the server. In general, applications that use unvalidated input data may be vulnerable to code injection. As a result, web-based applications are the dominant target for threat actors using this technique.
Code injection cyberattacks typically exploit weaknesses with data validation. Data validation issues may include data formats, the amounts of data expected, and the types of characters allowed. A good example of remote code execution is the WannaCry attack in 2017. WannaCry ransomware allowed remote code execution if the threat actor sent communications to the Microsoft Server Message Block (SMB) protocol. First, WannaCry scanned for vulnerable SMB ports using the NSA EternalBlue tool, which could, in turn, exploit the vulnerability in Microsoft SMB. Then another NSA tool was used by the threat actor to install the WannaCry malware.
Types of code injection:
Cross-Site Scripting (XSS) :
XSS is a type of cyberattack in which the threat actor injects malicious scripts into websites and web applications. The goal is to have these scripts executed on the users’ end-point devices where the threat actors can bypass controls and impersonate users. XSS attacks turn a harmless website or web application into an attack vector to deliver malicious scripts to the web browsers of unsuspecting victims. The goal of the attack is to steal cookies, session identifiers, names, and passwords.
SQL Injection (SQLI) :
Structured Query Language or SQL is an ANSI standard language used to communicate with database systems. Note that SQLI can impact any type of programming language and almost any type of database, such as XML databases.
Threat actors use the syntax of SQL to inject commands that can compromise the original query and which can read or modify database records. In addition, there may be fields designed by the software developers where the submission of an expanded result in SQL syntax will enable access to passwords or other sensitive information.
To mitigate SQLI, the developers must minimize or stop dynamic queries and prevent input that contains SQL that will impact and change the query’s logic.
LDAP Injection :
Lightweight Directory Access Protocol (LDAP) searches resources in a network. These can include devices, other users, or perhaps files. LDAP injection causes an unvalidated LDAP statement to direct a server to perform specific commands associated with malicious activities and goals.
Carriage Return – Line Feed Injection (CRLF) :
ACRLF injection is a vulnerability used when a threat actor injects random CRLF characters. CRLF injection vulnerabilities are often caused by data input that is not sanitized and carefully checked. By putting together text streams, the threat actors can trick the web application into doing what they want.
SMTP Injection :
ASMTP injection can potentially impact all applications that communicate with mail servers (IMAP/SMTP). This threat generally includes webmail applications. The goal of the threat actor is to inject IMAP/SMTP commands into the mail servers due to input data not being properly sanitized or validated.
Command Injection :
Command injection is a threat actor technique that involves executing arbitrary commands on a host operating system. The threat actor exploits an application vulnerability and then injects the commands.
The poor transmission of user data, such as cookies and forms, can facilitate the injection of a command into the system shell on a web server. The attacker can then leverage the privileges of the vulnerable application to compromise the server. Command injection may include the direct execution of shell commands, injecting malicious files into a server’s runtime environment, and more.
Best Practices to Prevent Code Injection Attacks
Best practices to prevent injection attacks on your web applications include:
- Limiting the use of special characters.
- Providing minimal strict access to the minimum necessary privileges and nothing more.
- Controlling activity by validating user inputs through the creation of an allow-list.
- Use of prepared statements with parameterized queries. They are faster and easier to generate than dynamic queries.
- Escaping all user input before putting it into a query. Databases support character escapes specific to various types of queries. If properly escaped for the environment you are using; the database will not confuse that with legitimate SQL written by the developer.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.