What is Code Injection?
November 03, 2022
Code injection (a.k.a. remote code execution) is an attack based on the input of improper data into a program. If hackers manage to exploit program vulnerabilities, they may succeed in injecting malicious code through the input line or uploaded file with the subsequent execution of this code. Those files usually exist as a DLL or a script, placed somewhere on your disk. Hackers may download them after the initial compromise and use them only when it comes.
The actions performed by the malicious code may go beyond the hackers’ user clearance, and their effects are limited by the capacities of the programming language in which the program is written. As a result, the program’s execution can be distorted, data removed, altered, sent somewhere (stolen), or accessed without clearance. Access for other service users can be denied, and even host takeover is possible. Another probable consequence of code injection is a computer virus or internet worm introduction and subsequent spreading.
Command Injection vs. Code Injection
Speaking of code injection in cybersecurity, we mean a certain type of attack - a special case of a wider group of cyber offenses, the malicious code attacks. The latter, when spoken of, usually implies the so-called command injection attacks rather than code injection. The attacks of both types exploit the vulnerabilities of software environments.
Command injection uses the program wherein it is introduced to execute commands within a wider environment. For example, a malicious website script or a script-fitted excel file can initiate the execution of Windows Shell commands, therefore working beyond the application from which they originate. The field of action for a code injection attack is limited by the program where it is executed. For example, there are programs to work where users input search requests and commands, such as databases. Introducing specially crafted data can break this program and perform legally unavailable actions. For example, hackers can use the request line of an SQL database to tamper with data in it. That would be code injection.
How Code Injection is Possible?
Code injection exploits the vulnerabilities of an interpreter – a program that executes instructions directly without compiling them into machine code. The environments most susceptible to code injection are SQL, LDAP, XPath, NoSQL. Code injection attack is, of course, possible in operating system scripting, SMTP headers, program arguments, XML parsers, etc.
Data format, characters used in queries, the amount of data being input, etc., are the tools of code injection attacks. Sometimes, code injection works like a hacker-launched pun. An equivocate wordplay, that can confuse the interpreter software, either leading to the execution of the desired malicious instruction at once or bringing the program into the state vulnerable to another injection.
Non-Malicious Use of Code Injection
Code injection is not necessarily a harmful tool for program overriding. Experienced users can knowingly use it to detour some procedures or perform actions unintended by the program. In databases, for example, it is possible to use code injection to create a column for search query results that the program previously didn’t display. It allows the implementation of search results filters based on the criteria of these newly introduced parameters.
In file hosting services, it is possible to use code introduction to parse data from online resources in an offline program. The number of benevolent usages of code injection is virtually unlimited. However, the cases of “good” code introduction are as hard to find on purpose as the cases of malicious code injection. Actually, the trials aimed at finding vulnerabilities in question can also be called cases of benign code introduction. It is also possible to cause code injection accidentally. Users may unintentionally use symbols reserved for the environment they are working with to have some function. For example & or @.
The simplest example is an unintended tagging of a person in a group chat of an instant messenger application via using @ before the name of the chat member. Single and double quotes are also candidates for an accidental code injection trigger since software developers can use one of these pairs for special purposes.
Malicious Code Injection and Its Effects
The effects of injection of malicious code, written intentionally to harm, vary. They are mostly unauthorized access, privilege escalation, and obtaining information via hacking. The attacks can be performed on the client’s side (if the application validates the input data on the client's side, for example, in the browser) or on the server side (if the validation takes place on the server).
The client-side code injection includes:
- SQL code injection is a rampant practice that targets SQL databases via queries allowing hackers to access desired data from the structure and even obtain sensitive data, such as sign-in credentials or information on the configuration of the attacked program itself.
- Python code injection is used against applications written in Python. If the vulnerability is exploited well, the hacker gets the full scope of data manipulation. The range of possible consequences is broad and ranges from insignificant to grave depending on the hackers' intentions.
- HTML code injection, a.k.a. cross-site scripting (XSS) allows criminals to access cookies, session tokens, and other data related to other users as the latter visit the targeted webpage. It is important to note that HTML code injection can be performed on a trustworthy website. The code injected by a hacker later targets the visitors of the page. It can collect their data, initiate downloading of malware to their machines, etc.
The server-side code injection includes:
- PHP code injection becomes possible if a PHP-written program has validation flaws that allow criminals to alter the program's code execution by the introduction of their own code with various thinkable consequences.
- JavaScript code injection is a relatively easy-to-perform attack. The malicious code can be introduced via some vulnerability or input right into the address bar. Hackers can use JavaScript for various results, including data-stealing, denial of access, signup forms hijacking, etc.
How to protect yourself?
Protection against code injection includes safety measures for developers and precautions for users who can fall victim to such attacks. We will touch on the latter within this post.
Disable scripts (completely or selectively). Users can change the settings of their browsers or install extensions like NoScript for Firefox to block JavaScript on websites completely, but this measure seems overkill. Yes, it will eliminate the threat of cross-site scripting, but it will also cut down half of the modern web functionality. Choose what is more important for you.
Stay away from questionable websites. Substantial malicious code attacks happen from untrustworthy web resources. Watch out for the absence of SSL certificates on websites recognizable by HTTP in an address bar (instead of HTTPS). Along with counterfeits from dubious links you found somewhere, beware of DNS hijacking practices. Those tricks may lead you right to the server controlled by crooks.
Keep the software updated. Most code injection cases happen because of software vulnerabilities. Undiligent check-up of the used DLLs, the ability to slip the arbitrary code or command for execution through the PowerShell - those breaches could be met even in the most popular programs. Software vendors check their software regularly - and release security patches that can save your time and money.
Install an anti-malware solution to keep your system protected from malware that can be installed via code injection. Not each anti-malware program will fit - the one with on-run protection is needed. However, the ideal solution for preventing code injection is using the EDR system. It will be a monolith shield for the whole network, rather than scattered security apps on each computer. Such a program will effectively counteract the threats above or malware injection attempts.