Also known as injection attack, code injection attack, injection vulnerability, code injection vulnerability
class of exploits in which a vulnerable computer program misinterprets data as code
CWE - CWE-94: Improper Control of Generation of Code ('Code Injection') (4.20)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
cwe.mitre.org →Home CWE List CWE-94: Improper Control of Generation of Code ('Code Injection') (4.20) ID Lookup: The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact. This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. MemberOf Category - a CWE entry that contains a set of other entries that share a common characteristic. 137 Data Neutralization Issues MemberOf Category - a CWE entry that contains a set of other entries that share a common characteristic. 1019 Validate Inputs The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic. This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance. This example attempts to write user messages to a message file and allow users to view them. The programmer thought they were just including the contents of a regular data file, but PHP parsed it and executed the code. Now, this code is executed any time people view messages. Any arbitrary Perl code could be added after the attacker has "closed off" the construction of the original function call, in order to prevent parsing errors from causing the malicious eval() to fail before the attacker's payload is activated. This particular manipulation would fail after the system() call, because the " key( $fname, $key, $val)" portion of the string would cause an error, but this is irrelevant to the attack because the payload has already been activated. This simple python3 script asks a user to supply a comma-separated list of numbers as input and adds them together. The eval() function can take the user-supplied list and convert it into a Python list object, therefore allowing the programmer to use list comprehension methods to work with the data. However, if code is supplied to the eval() function, it will execute that code. For example, a malicious user could supply the following string: This would delete all the files in the current directory. For this reason, it is not recommended to use eval() with untrusted input. An alternative, commonly-cited mitigation for this kind of weakness is to use the ast.literal eval() function, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372 ], so the python documentation discourages use of ast.literal eva
Excerpt from a page describing this subject · 40,000 chars · not written by Vinony
via Wikidata · CC0
via Wikidata sitelinks · CC0
Discovered by embedding cosine similarity (sentence-transformers MiniLM, 384-dim).