This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Code Injection
From OWASP
- This is an Attack. To view all attacks, please see the Attack Category page.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Description
This article should cover attacks based on injecting code into a running application.
Examples
If server side scripting is enabled in some address (such as guestbook , where user can insert data) then the SSI attack can be done.
Such as :
< !--#exec cmd="ls" -- >
will show all the files in current directory is the server is on a UNIX/LINUX machine.
for Windows platform : < !--#exec cmd="dir"-- >
This can be used for destructive purpose also , as the commands are executed in root/admin previlage.
Such as < !--#exec cmd="format c:"-- >