I am wondering if it is possible to make a code injection in compiled or interpreted languages? Is there any kind of attack vector in this area?
Whit "code injection" I mean providing a code snippet as input that will be executed alongside with the program code, similar to SQL injection.
Yes, this is a real thing. But just like with SQLi you can not just exploit any program, but a poorly written one with insufficient input sanitation could be vulnerable.
Lets look at interpreted languages first. For code injection to be possible here you need to have something that takes code in a string and executes it.
In JavaScript you have the eval() function that does that. So if you do eval(untrustedData) you have yourself a vulnerability. For this reason eval() is considered "evil" and you often here the recommendation to not use it at all. There are also more sublte cases that allows execution of code from a string, like new Function() and setInterval().
In PHP you also have an eval() function, deemed so dangerous that the manual includes a warning:
Caution: The
eval()language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
So how about compiled languages? They are less vulnerable because they don't have functions that executes arbitrary code, since that code would have to be compiled first. Off course you could write a program that generates source code (from untrusted data), compiles it, and runs it. But that would be a rather odd things to do.
You could argue, as iain does, that exploiting buffer overflows is a form of code injection, since you are injecting machine code into the program. I guess it comes down to semantics if you count that or not.
There is another example of a very sophisticated and extremely subtle type of code injection: The vast area of Java Deserialization Vulnerabilities. Whenever you deserialize untrusted serialized Java Objects in your code you risk to execute code of an attacker's chosing. Many J2EE engines are vulnerable. If you cannot shut down the service that accepts serialized objects as input it might be very hard to fix the vulnerability.
Some links:
Buffer overflows could be considered to be an attack vector in this area, they can lead to arbitrary code execution. See this post on Stack Overflow : Buffer overflows
Code injection is basically a problem of input filtering. If you do execute code based on a source that is user dependent and don't test for input validity, you are vulnerable to code injection, no matter hat kind of language you are using.
A CWE-95 is a CWE-94 is a CWE-74 is a CWE-707; ultimately:
"CWE-707: Improper Neutralization"
https://cwe.mitre.org/data/definitions/707.html
https://en.wikipedia.org/wiki/Eval#Security_risks , #Programming_languages
eval()function. So unless you count buffer overflows they are not vulnerable to code injection. – Anders Dec 16 '16 at 11:36evalas a language feature, but may have scripting-like code in standard/common libraries. The most common one for Java will be JSP injection. There's also deserialisation exploits which works similarly. – billc.cn Dec 19 '16 at 17:10