Editing Code injection (section)

{{Short description|Computer bug exploit caused by invalid data}}
{{distinguish|Dependency injection|Arbitrary code execution}}
{{Use dmy dates|date=June 2020}}'''Code injection''' is a [[computer security exploit]] where a [[Computer program|program]] fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An [[Hacker (computer security)|attacker]] using this method "injects" [[Source code|code]] into the program while it is running. Successful exploitation of a code injection vulnerability can result in [[data breaches]], access to restricted or critical [[computer systems]], and the spread of [[malware]].

Code injection [[Vulnerability (computer security)|vulnerabilities]] occur when an application sends untrusted data to an [[interpreter (computing)|interpreter]], which then executes the injected text as code. Injection flaws are often found in services like Structured Query Language ([[SQL]]) databases, Extensible Markup Language ([[XML]]) parsers, [[operating system]] commands, Simple Mail Transfer Protocol ([[SMTP]]) headers, and other program [[Argument (programming)|arguments]]. Injection flaws can be identified through [[source code]] examination,<ref>{{Cite web |title=Top 10 Web Application Security Vulnerabilities |url=http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php |archive-url=https://web.archive.org/web/20180224034000/http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php |archive-date=24 February 2018 |access-date=10 December 2016 |website=Penn Computing |publisher=University of Pennsylvania}}</ref> [[Static analysis tool|Static analysis]], or dynamic testing methods such as [[fuzzer|fuzzing]].<ref name=OWASP10_A1>{{cite web|title=OWASP Top 10 2013 A1: Injection Flaws|url=https://www.owasp.org/index.php/Top_10_2013-A1-Injection|publisher=OWASP|access-date=19 December 2013|archive-date=28 January 2016|archive-url=https://web.archive.org/web/20160128030657/https://www.owasp.org/index.php/Top_10_2013-A1-Injection|url-status=live}}</ref>

There are numerous types of code injection vulnerabilities, but most are errors in interpretation—they treat benign user input as code or fail to distinguish input from system commands. Many examples of interpretation errors can exist outside of computer science, such as the comedy routine ''"[[Who's on First?]]"''. Code injection can be used maliciously for many purposes, including:   
* Arbitrarily modifying values in a [[database]] through [[SQL injection]]; the impact of this can range from [[website defacement]] to serious compromise of [[sensitive data]]. For more information, see [[Arbitrary code execution]].
* Installing [[malware]] or executing malevolent code on a server by injecting server scripting code (such as [[PHP]]).
* [[Privilege escalation]] to either [[superuser]] permissions on [[UNIX]] by exploiting shell injection vulnerabilities in a  binary file or to [[Superuser|Local System]] privileges on [[Microsoft Windows]] by exploiting a service within Windows.
* Attacking web users with Hyper Text Markup Language ([[HTML]]) or Cross-Site Scripting ([[Cross-site scripting|XSS]]) injection.
Code injections that target the [[Internet of Things]] could also lead to severe consequences such as [[data breaches]] and service disruption.<ref>{{Cite journal |last1=Noman |first1=Haitham Ameen |last2=Abu-Sharkh |first2=Osama M. F. |date=January 2023 |title=Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical Implementations |journal=Sensors |language=en |volume=23 |issue=13 |page=6067 |doi=10.3390/s23136067 |pmid=37447915 |pmc=10346793 |bibcode=2023Senso..23.6067N |issn=1424-8220 |doi-access=free }}</ref>

Code injections can occur on any type of program running with an [[Interpreter (computing)|interpreter]]. Doing this is trivial to most, and one of the primary reasons why server software is kept away from users. An example of how you can see code injection first-hand is to use your [https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Tools_and_setup/What_are_browser_developer_tools browser's developer tools].

Code injection vulnerabilities are recorded by the National Institute of Standards and Technology [[National Institute of Standards and Technology|(NIST]]) in the National Vulnerability Database ([[National Vulnerability Database|NVD]]) as [[Common Weakness Enumeration|CWE-94]]. Code injection peaked in 2008 at 5.66% as a percentage of all recorded vulnerabilities.<ref>{{Cite web|url=http://web.nvd.nist.gov/view/vuln/statistics|title=NVD - Statistics Search|website=web.nvd.nist.gov|access-date=2016-12-09|archive-date=15 December 2023|archive-url=https://web.archive.org/web/20231215120148/https://web.nvd.nist.gov/view/vuln/statistics|url-status=live}}</ref>