Scripting languages often have functions, such as eval(), that allow interpreting a string or a file as a part of the application. The danger of using these functions is that, under certain conditions, an attacker might be able to supply malicious code and it will be executed as a part of the application. This gives the attacker full control of the application. Code injection vulnerabilities affect all scripting languages, but typically occur in web applications written in PHP.
An attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. Code injection is one of the most dangerous vulnerability types, if not the most dangerous. On top of being extremely powerful, code injection vulnerabilities are typically easy to exploit, especially in web applications.
To prevent code injection vulnerabilities, validate all input and avoid using dangerous APIs.
Validate all input:
Avoid using dangerous APIs:
To check your application for code injection, find all the calls to dangerous functions and verify that data passed to them is sufficiently validated, and ensure that dangerous APIs are avoided.
All input is validated:
Dangerous APIs are avoided:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.