I. Background of Code Injection

Code Injection is a type of exploitation caused by processing invalid data input. The concept of injection attacks is to introduce (or "inject") malicious code into a program so as to change the course of execution. Such an attack may be performed by adding strings of malicious characters into data values in the form or argument values in the URL. Injection attacks generally take advantages of inadequate validation over input/output data, for example:

  • Lack of defining a class of allowed characters (such as standard regular expressions or custom classes)
  • Lack of restricting the data format (such as date format yyyy/mm/dd)
  • Lack of checking the amount of expected data (such as maximum length restriction)
  • Lack of restricting the data type (such as numerical input only)

Code Injection is the general name for various types of attacks which inject improper code into the script interpreter. This can be achieved through different dimensions which included:

  • Web Level
  • Application/Database Level
  • Operating System (OS) Level
  1. Web Level

    Today, most websites embed dynamic contents in their web pages for better user experience and functionalities. Dynamic content is generated by the respective server process, which can behave and display differently according to users’ settings and requirements when delivered. Dynamic websites are more vulnerable to a type of code injection, called Cross-Site Scripting ("XSS"), than those traditional static websites.

    In this form of injection attack, the attackers introduce improper scripts into the web browsers. The technique most oftenly used is to inject JavaScript, VBScript, ActiveX, HTML, Flash or any other types of codes that web browsers may execute. Once the injection is successfully performed, hackers can carry out a variety of malicious attacks including account hijacking, changing of user settings, cookie theft and poisoning, or false advertising.

Next page >
P.1 of 12