Injection & Code Execution

InjectionCode InjectionCommand ExecutionRCE

Injection & Code Execution vulnerabilities at a glance

What it is: Vulnerabilities where untrusted user input is interpreted as code or commands, allowing attackers to execute arbitrary queries, system commands, or code in the application context.
Why it happens: Injection vulnerabilities most often occur when user input isn't sanitized and is directly concatenated into an operation.
How to fix: Use parameterized queries and prepared statements. Never concatenate user input into code or commands. Apply input validation and sanitization with allowlists. Use safe APIs that separate data from code

Overview

Injection vulnerabilities occur when an application sends untrusted data to an interpreter (SQL database, system shell, template engine, etc.) without proper validation or escaping. The interpreter treats the malicious input as part of a command or query, allowing attackers to execute unintended operations.

These vulnerabilities are among the most dangerous because they often provide complete control over the affected system. SQL injection can dump entire databases, command injection can execute system commands, template injection can achieve remote code execution, and other injection variants can compromise application logic, authentication, and data integrity.

sequenceDiagram participant Attacker participant App as App Server participant DB as Database Attacker->>App: GET /users?id=1' OR '1'='1 App->>App: Build SQL: SELECT * FROM users WHERE id='1' OR '1'='1' App->>DB: Execute injected query DB-->>App: All user records App-->>Attacker: 200 OK (all users data) Note over App: Missing: Parameterized queries<br/>Missing: Input validation
A potential flow for a Injection & Code Execution exploit

Where it occurs

Injection flaws commonly occur when building database queries by string concatenation, executing system commands with user-supplied input, evaluating templates with untrusted data, deserializing user-controlled data, dynamically evaluating code based on user input, and constructing XML, JSON, or other structured data without proper escaping. These issues arise when developers trust user input or fail to use safe APIs that properly separate data from code.

Impact

Injection vulnerabilities can lead to complete data breaches with theft of sensitive information, authentication bypass and unauthorized access, data manipulation or destruction, remote code execution on application servers, lateral movement to internal systems, denial of service through resource exhaustion, and compliance violations with severe penalties.

Prevention

Prevention varies by scenario, but generally use parameterized queries for database access, avoid string-built SQL, and replace shell commands with secure API calls.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

SQL Injection

Untrusted input is interpreted as SQL, changing the query's structure or intent.

SQLi
6 code examples
Learn more →

NoSQL Injection

User input is interpreted as NoSQL operators or query syntax, changing query logic or executing code (for example `$ne`, `$regex`, `$where`, or query_string operators).

Mongo Operator Injection Elasticsearch Query Injection
6 code examples
Learn more →

Command Injection

User input reaches an operating system command. The app launches a shell or external program and attacker data alters what runs.

OS Command Injection Shell Injection
6 code examples
Learn more →

Prototype Pollution

Untrusted objects are merged or extended into application objects, allowing attackers to set special keys like `__proto__`, `constructor`, or `prototype` that change defaults for all plain objects.

Object Prototype Poisoning
6 code examples
Learn more →

XML External Entity (XXE)

An XML parser loads and expands external entities from files or network resources, letting attackers read local files or pivot SSRF during parsing.

External Entity Injection
6 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies injection & code execution and related vulnerabilities in your codebase.

Scan Your Code for Free