This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
We all know the story of Little Red Riding Hood. The story starts out with a little girl taking a walk to her grandmother’s house and you are expecting she will arrive and visit with her grandmother. But abruptly a new storyline is inserted and the story changes.
Code Injection Attacks
Little Red Riding Hood instead encounters a wolf who has eaten her grandmother and then disguised itself by dressing in her grandmother’s clothing. The wolf hopes to eat her as well, but Little Red Riding Hood doesn’t recognize the danger she is in yet. In this story, the insertion of a new storyline results in a very different, malicious outcome to the storyline.
Code Injection Attack
is the exploitation of a computer vulnerability that is caused by processing invalid user data. Injection is used by an attacker to introduce code into a vulnerable program and change the course of execution.
Little Red Riding Hood then discovers the wolf’s deception and true intentions. The ending is happy but only because Little Red Riding Hood learns of the wolf’s plan. Much like in the story of Little Red Riding Hood, code can be inserted into existing program code resulting in a very different, malicious outcome to the program code. When an attacker inserts code into existing program code to achieve a different, malicious outcome, they are using a code injection attack. Code injection attacks can go unrecognized by those that may be harmed by them.
Code injection attacks are a broad class of attacks that allow an attacker to supply untrusted input to a program, which gets processed as part of a command or query which alters the course of execution of that program. Code injection attacks are amongst the oldest and most dangerous web application attacks. They can result in data theft, data loss, loss of data integrity, denial of service, as well as full system compromise.
Code injection attacks is a category of attacks. This is much like household tools is a category. Specific tools, like a hammer which is used for particular applications like to nail items together, would fall into the general category of tools. Similarly, there are particular code injection attacks that act upon different types of code within the computer which fall into the general category of code injection attacks. These attacks that act on code are:Cross Site Scripting (XSS) for inserting code within websitesOperating System Command Injection for inserting code within web applications or websites to execute operating system commandsSQL Injection for inserting code into website databases interfacesBuffer Overflow for inserting code into the buffer of the RAM