Code Injection - Preventing Code Injection

Preventing Code Injection

To prevent code injection problems, utilize secure input and output handling, such as:

• Input validation
• Selective input inclusion/exclusion
• Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string to isolate data which will be included in an SQL request, to protect against SQL Injection.
• Input encoding
• Output encoding
• Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
• Modular shell disassociation from kernel

The solutions listed above deal primarily with web-based injection of HTML or script code into a server-side application. Other approaches need to be taken however, when you are dealing with injection of user code on the user machine, resulting in privilege elevation attacks. Some approaches that are used to detect and isolate managed and unmanaged code injections are:

• Runtime image hash validation - capture a hash of a part or complete image of the executable loaded into memory, and compare it with stored and expected hash.
• NX bit - all user data is stored in a special memory sections that are marked as non-executable. The processor is made aware that no code exists in that part of memory, and refuses to execute anything found in there.