|
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The result of successful code injection is often disastrous (for instance: code injection is used by some computer worms to propagate). Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.〔(【引用サイトリンク】url=https://www.owasp.org/index.php/Top_10_2013-A1-Injection )〕 Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover. Certain types of code injection are errors in interpretation, giving special meaning to mere user input. Similar interpretation errors exist outside the world of computer science such as the comedy routine ''Who's on First?''. In the routine, there is a failure to distinguish proper names from regular words. Likewise, in some types of code injection, there is a failure to distinguish user input from system commands. Code injection techniques are popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Code injection can be used malevolently for many purposes, including: * Arbitrarily modify values in a database through a type of code injection called SQL injection. The impact of this can range from website defacement to serious compromise of sensitive data. * Install malware or execute malevolent code on a server, by injecting server scripting code (such as PHP or ASP). * Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX, or Local System by exploiting a service on Windows. * Attacking web users with HTML/Script Injection (Cross-site scripting). ==Benign and unintentional use of code injection== Some people may use code injections with good intentions. For example, changing or tweaking the behavior of a program or system through code injection can "trick" the system into behaving in a certain way without any malicious intent.〔Symptoms-Based Detection of Bot Processes ]J Morales, E Kartaltepe, S Xu, R Sandhu - Computer Network Security, 2010 - Springer〕 Code injection could, for example,: * Introduce a useful new column that did not appear in the original design of a search results page. * Offer a new way to filter, order, or group data by using a field not exposed in the default functions of the original design. * As with programs like Dropbox, add special parts that could be used to connect to online resources in an offline program. Some users may unsuspectingly perform code injection because input they provide to a program was not considered by those who originally developed the system. For example: * What the user may consider a valid input may contain token characters or character strings that have been reserved by the developer to have special meaning (perhaps the "&" in "Shannon & Jason", or quotation marks as in "Bub 'Slugger' McCracken"). * The user may submit a malformed file as input that is handled gracefully in one application, but is toxic to the receiving system. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Code injection」の詳細全文を読む スポンサード リンク
|