Content deleted Content added
Changing punctuation for consistency. |
Bracteantha (talk | contribs) m interlinking Tags: Visual edit Mobile edit Mobile web edit Advanced mobile edit Newcomer task Newcomer task: copyedit |
||
Line 3:
{{Use dmy dates|date=June 2020}}'''Code injection''' is a class of [[computer security exploit|computer security exploits]] in which vulnerable [[computer program|computer programs]] or [[Computer process|system processes]] fail to correctly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be [[Execution (computing)|executed]]. An [[Hacker (computer security)|attacker]] using this method "injects" [[Source code|code]] into the program while it is running. Successful exploitation of a code injection vulnerability can result in [[Data breach|data breaches]], access to restricted or critical [[Computer|computer systems]] and the spread of [[malware]].
Code injection [[Vulnerability (computer security)|vulnerabilities]] occur when an application sends untrusted data to an [[interpreter (computing)|interpreter]], which then executes the injected text as code. Injection flaws are often found in services like Structured Query Language ([[SQL]]) databases, Extensible Markup Language ([[XML]]) parsers, [[operating system]] commands, Simple Mail Transfer Protocol ([[SMTP]]) headers and other program [[Argument (programming)|arguments]]. Injection flaws are more straightforward to discover when examining [[source code]] than when testing.<ref>{{Cite web|url=http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php|title=Top 10 Web Application Security Vulnerabilities|website=Penn Computing|publisher=University of Pennsylvania|access-date=10 December 2016|archive-url=https://web.archive.org/web/20180224034000/http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php|archive-date=24 February 2018|url-status=dead}}</ref> [[Static analysis tool|Static analysis]] and [[fuzzer]]s can help find injection flaws.<ref name=OWASP10_A1>{{cite web|title=OWASP Top 10 2013 A1: Injection Flaws|url=https://www.owasp.org/index.php/Top_10_2013-A1-Injection|publisher=OWASP|access-date=19 December 2013|archive-date=28 January 2016|archive-url=https://web.archive.org/web/20160128030657/https://www.owasp.org/index.php/Top_10_2013-A1-Injection|url-status=live}}</ref>
There are numerous types of code injection but most are errors in interpretation, since they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors, like these, can exist outside of computer science, such as the comedy routine ''"[[Who's on First?]]"''. Code injection techniques are used in [[Hacker (computer security)|hacking]] to gain information, as well as in [[privilege escalation]], or to gain access to a system. Code injection can be used maliciously for many purposes, including:
| |||