Code Injection is a common vulnerability that occurs when an attacker is able to inject malicious snippets of code into the victim’s web application.
Exploiting this vulnerability could have catastrophic consequences for your website or application, as the attacker can gain complete control.
Let’s take a look at how code injection works and what you, as a security-minded developer can do to prevent it.
In this article:
Developer tools might sound like a completely safe environment, with all the changes made locally with no direct threat towards your website, however, this is a dangerous assumption. Although an attacker can’t cause any direct harm via using developer tools, they can test and debug your website endlessly without you ever knowing about it.
Using Event Listeners
For example, let’s look at this simple situation:
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<input type="button" onclick="randomScript()">
Random function could have a line of code something like:
All the attacker has to do after opening the website is to inspect element for the button on the page. This will allow them to see the “Event Listeners” tab, where they could see the randomScript() function code.
Even though this example is harmless in itself, it shows the power that an attacker could have in debugging your website. However, the next example will show you the real impact that code injection can have on your website.
Code Injection in User-submitted content
So, instead of writing a regular comment, a user might add “Comment on a forum <script>alert(“Hacked Website”);</script>”.
In case of an unprotected website, this snippet of code would be sent to the database, and then displayed for other users who open this page on the website. This directly affects all the visitors, and is a good example of a simple vulnerability that results in serious harm. In this specific example, an attacker could even place their own affiliate ads on your website, thus earning additional income .
Unlike whitelisting, input validation is much more flexible in terms of possibilities for the end-user. It allows you to invalidate a certain set of characters that you might find threatening in that they could cause code injection. It’s a bit more demanding way of safekeeping your web apps than whitelisting, but it sure is the mandatory one as often you’ll have no other options.
The web application firewall (WAF) is one of the best tools to utilize if you’re to protect your web applications. It prevents malicious attacks from hackers and makes sure that no important data leaks out to the end-user. You should make it a habit of setting up WAF as it could save you a lot of headaches in the future.
However, if you want to be 100% sure, you might as well create a free Bright account and test your applications free of charge as soon as today!