Tuesday, June 23, 2015

Code Injection- An Ocean to explore.. Fun place for Security Guys and Bad dream for Developers.. :):)

Code Injection: It is a technique of exploitation which is caused when the code is not able to make a difference between the good code and a bad code or in another words when your code is able to process an invalid piece of code without verification.

Code injection was something which used to be a good technique which comes in handy for the end user when they want some specific output from a system which is diverted from the system. For e.g. a particular report format that is not supported or updating a system by a written script or a piece of code which gets activated on a particular day of the week or to perform some automated output which the application in use was not designed to perform.

But there is always a bad side. Similarly this technique can also be used to perform some malicious activities which can cause diverse affects. For e.g.modifying values in a database or performing a web site defacement to injecting some kind of malicious code or taking superior privileges..

Usually it is performed by sending a malicious code to the interpreter and executing it to gain unwanted information and privileges.

They can be easily be discovered when doing a code review of the code but sometimes it becomes very difficult when one is doing a black box testing. The best way to find them is through fuzzer's or some good scanners.

Some examples of Cod Injections are SQL injection, HTML injection,XML injection,Cross Site scripting, Remote file Injection, Object Injection and the most famous one Shell Injection. (There may be more of them as well..)

Each of them is an individual area of research and interest .We are going to try them individually in coming days:)

References: Dont forget to go through some links for the time being:


No comments:

Post a Comment