Home > Tech Explained

How Does Code Injection Work?

By Afam Onyimadu
How Does Code Injection Work? Featured Image

Code injection, often referred to as remote code execution (RCE), is an attack perpetrated by an attackers ability to inject and execute malicious code into an application; an injection attack. This foreign code is capable of breaching data security, compromising database integrity or private properties. In many instances, it can bypass authentication control, and usually these attacks are associated with applications that depend on user input for execution.

Generally, applications are more vulnerable if the code is executed without first passing through validation. A simple case of a vulnerable code is shown below.

injection-example1

In the above example the PHP info page is vulnerable and will be displayed if the URL http://example.com/?code=phpinfo(); is run.

Due to the fact that user interaction with applications is more and more a necessity in today’s online world, code injection has grown and has become a real threat to many online resources.

Types of code injections

There are mainly four types of code injections: SQL injection, Script injection, Shell injection, and Dynamic evaluation. All of these have the same working principle, that is, the code is introduced into and executed by applications, but the two I will pay focus on are SQL injection and Script injection.

How SQL injections work

In the case of SQL injection, the attack is aimed at corrupting a legitimate database query to produce falsified data. The attacker first has to locate an input within the targeted web application that is included inside of an SQL query.

This method is only effective if the web application has user input included within an SQL statement. A payload (a malicious SQL statement) can then be inserted and run against the database server.

The following server-side pseudo-code is a simple example of authentication that can prove vulnerable to SQL injections.

injection-example2

In the above code the attacker could insert a payload that would change the SQL statement executed by the database server. An example would set the password field to:

password' OR 1=1

This automatically causes the following statement to be run against the database server:

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1

What SQL injection can do

This is the most common type of code injection. Considering the fact that SQL is the language used to manipulate data stored in Relational Database Management Systems (RDBMS), an attack with the power to give and execute SQL statements can be used to access, modify and even delete data.

It can give the attacker the ability to bypass authentication, have full disclosure of data stored in the database, compromise data integrity and cause repudiation issues, altering balances and voiding transactions.

How to prevent SQL injections

There are a few steps to make your applications less vulnerable, but before any of these steps, it is best to assume all user-submitted data is evil and to trust no one. Then you could consider the following:

  • Disable the use of dynamic SQL – this means don’t construct database queries with user input. If required, sanitize, validate and escape values before making a query with user input data.
  • Make use of a firewall – A web application firewall (software or application based) will help filter malicious data.
  • Purchase better software – This simply means coders will be responsible for checking and fixing flaws.
  • Encrypt or hash passwords and every other confidential data you have, this should include connection strings.
  • Avoid connecting to your database with admin privileged accounts unless you absolutely need to.

Script injection

This security vulnerability is a threat that allows an attacker to inject malicious code straight through the web forms of data-driven websites via elements of the user interface. This attack is often referred to as Cross-Site Scripting or XSS. The , , , , , , , tags are the most targeted for script injections.

How to prevent script injections

The steps to prevent script injections are dependent on the programming code you are using. Generally, you will want to:

  • validate and sanitize user input (any form of input fields) by striping out or escaping potentially malicious content
  • clean up query strings in URLs
  • validate and sanitize all forms of data, arrays and objects before executing in the server

Conclusion

Simply said, prevention is better than a cure. With new updates in technology, there are more threats our systems are going to be exposed to. To stay on top of things, it’s important to have the latest patches and updates and to keep an ear out for best practices. This makes it harder to fall victim to these malicious attacks.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Afam Onyimadu Avatar
Afam Onyimadu
Afam is a writer with a passion for technology amongst many other fields. Aside from putting pen to paper, he is a passionate soccer lover, a dog breeder and enjoys playing the guitar and piano.

Read next

In 1965, Joe Sutter’s Boeing team began shaping the 747 around a future they thought would belong to supersonic jets, lifting the cockpit onto a hump so the nose could open for cargo once the giant subsonic passenger plane had outlived its brief moment
Vintage keyboard with tactile buttons paired with a modern digital interface on screen.
Apple’s original 1984 Macintosh keyboard had no arrow keys, no function keys, and no numeric pad because Steve Jobs wanted users to reach for the mouse first. Then Apple quietly sold the missing keys as an accessory.
When the SS Great Eastern laid the first working transatlantic telegraph cable in 1866, a message that had taken ten days by steamship suddenly crossed the ocean in minutes, and the financial markets of London and New York were forced, within a single trading week, to invent the modern concept of synchronised global price.
Flat lay of travel essentials including a passport, map, smartphone, and pop camera.
Masahiro Hara and Denso engineers built the QR code in 1994 to help Toyota suppliers scan car parts from any angle, then kept the patent open until phone cameras and a 2020 pandemic turned the factory square into a daily ritual on restaurant tables
In 1965, Mary Allen Wilkes wrote LAP6 for the LINC computer from her parents’ Baltimore home, testing an interactive operating system on a 250-pound machine in the living room and becoming the first known person to use a personal computer at home, twelve years before the Apple II reached buyers
Hands manipulating wires on breadboards for electronic prototyping.
When Grace Hopper wanted to explain a nanosecond to admirals who kept asking why satellites were slow, she handed each of them a piece of wire 11.8 inches long, the exact distance light travels in a billionth of a second, and told them to keep it in their pocket as a reminder that physics, not laziness, sets the limit.
From below of blue starry sky over radio telescope and trees with leaves
The Big Ear telescope was scanning at 1420.4056 megahertz on the night of 15 August 1977, the exact frequency at which hydrogen atoms vibrate across the universe, because Giuseppe Cocconi and Philip Morrison had argued years earlier that any species trying to be found would broadcast on that channel — and then, for 72 seconds, something did.
An astronaut in a spacesuit ventures across a barren, Mars-like desert landscape.
When Doug Wheelock came home after 163 days in space, he said he had craved the aroma of leaves, grass, flowers, and trees, the rush of Earthiness that reaches astronauts only when the hatch opens back onto the living planet