Code Injection - Overview and Example

Overview and Example

A web server has a guestbook script, which accepts small messages from users, and typically receives messages such as

Very nice site!

However a malicious person may know of a code injection vulnerability in the guestbook, and enters a message such as

Nice site, I think I'll take it.>

If another user views the page then the injected code will be executed. This code can allow the attacker to impersonate another user. However this same software bug can be accidentally triggered by an unassuming user which will cause the website to display bad HTML code.

That post was awesome, >:)

Most of these problems are related to erroneous assumptions of what input data is possible, or the effects of special data. Classic examples of dangerous assumptions a software developer might make about the input to a program include:

• assuming that metacharacters for an API never occurs in an input; e.g. assuming punctuation like quotation marks or semi-colons would never appear
• assuming only numeric characters will be entered as input
• assuming the input will never exceed a certain size
• assuming that numeric values are within the upper and lower bounds
• assuming that client supplied values set by server (such as hidden form fields or cookies), cannot be modified by client. This assumption ignores known attacks such as Cookie poisoning, in which values are set arbitrarily by malicious clients.
• assuming that it is okay to pick pointers or array indexes from input
• assuming an input would never provide false information about itself or related values, such as the size of a file