Code Injection

Question 1

Code Injection and Execution

Answer 1

Code Injection: Malicious code is inserted into an application and then run or interpreted.

These attacks fall under code injection or arbitrary code execution categories.

For code injection attacks to succeed, the injected code must be executed

Question 2

sql injection

Answer 2

In the SQL injection example, sanitising $name means:

Removing or escaping special characters like ‘ or ; that can break the query.

Ensuring user input can’t change the structure of the SQL command

This can cause:
Confidentiality Loss-
Sensitive information is exposed to unauthorized users.

Private data (like passwords, personal info) gets leaked or stolen.

Availability Loss-
Authorized users cannot access data or services when needed.

Systems or data become unavailable, disrupting business or user activity.

Integrity Loss-
Data is altered or tampered with without authorization.

Data becomes unreliable or corrupted, leading to wrong decisions or system errors.

Question 3

Mitigation – Prepared/Parametrised
Statements

Answer 3

Never trust user input — always assume it might be malicious.

Use prepared statements to keep SQL logic separate from user data.

Prepared statements work by:

Defining the query with placeholders for data.

Supplying the data separately.

Don’t embed user data directly into SQL queries.

APIs for prepared statements vary depending on the database or programming language

Question 4

Persistent XSS

Answer 4

The attacker submits malicious code to a website.

The website saves this code (e.g., in a post or message).

When other users visit or view that content, the malicious code runs in their browsers.

Example: Posting a harmful script in a tweet or Facebook message that affects anyone who reads it.

Question 5

Attack vectors

Answer 5

An attacker can inject malicious JavaScript into a webpage’s HTML attributes like
onmouseover to execute harmful actions when users interact with the element

An attacker can inject an <img></img> tag with a fake src and a malicious onerror event to run harmful JavaScript when the image fails to load

An attacker can hide javascript: in an image’s src using HTML entity encoding to trick the browser into running malicious JavaScript code

An attacker can inject malicious JavaScript into a CSS background property to execute code when the CSS is loaded.

Question 6

Reflected XSS

Answer 6

User clicks a malicious
link with attack encoded into it, which injects the attack into the visited website

Question 7

DOM xss

Answer 7

A type of XSS where the malicious payload is executed entirely on the client side by manipulating the DOM (Document Object Model) without involving the server.

Question 8

OS Command Injection
Shell Injection

Answer 8

Executing Commands:
Applications sometimes run shell commands (e.g., using ffmpeg for media processing).

Remote Code Execution (RCE):
Attackers can inject malicious commands via user input, using command separators like &, &&, |, ||, ;, or newline \n to chain or separate commands.

Exfiltrating System Information:
Attackers can steal info from the system by sending it to external sites, or use tools like ping or nslookup to leak data.

Mitigation:
Avoid using raw user input in shell commands.
Restrict user input to safe values only (e.g., numeric input) that can’t inject command