tags:

views:

632

answers:

7
+5  Q: 

Is code injection possible in Java?

Hi,

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Java.

I know, there are no pointers in the Java language. But doesn't the JVM organize data in heaps and / or stacks? I know there is no eval function (like in PHP) so you cant easily use an input as Java-code. I am not so sure whats going on on bytecode level.

I think XSS is possible, for example in an JEE application, when no inputs are filtered. But isn't this more a JavaScript injection, because the injected code runs in the browser and not in the JVM?

So which code injections are possible with java and which are not? And is this true for other Java platform languages, too?

Thanks in advance.

+4  A: 

If the server application creates bytecode at runtime (for example with BCEL or Javassist), and if this creation can be influenced by user input, then a code injection is possible.

However, if you application uses no magic (which should be 99% of all applications), it will not be possible.

Adrian  2009-12-10 13:30:15
A: 

You can't inject Java. But if you are not careful, people could inject Javascript (i.e. XSS as you mention) or SQL. There are heaps and stacks, but no way to get to them.

rjmunro  2009-12-10 13:30:24
+3  A: 

You could write a web service that accepted a Java code snippet, wrapped it in a class/method declaration, saved it to disk, ran the compiler on it and then dynamically loaded and executed the result. So code injection is certainly possible.

But with typical Java implementations, it's perhaps not very efficient because of the relatively heavyweight compilation process (it might still be practical for some apps though).

Code injection is highly relevant with SQL because the "first guess" of many beginners is to use string concatenation to insert variables into a statement. But it rarely crops up as an idea amongst Java programmers. So that's the reason it isn't much of a concern.

If Java compilers become exposed as light-weight library services, then you'd have something much closer to the equivalent of eval and therefore it might start to become a relevant concern.

Daniel Earwicker  2009-12-10 13:33:15
The remark about efficiency does not seem terribly relevant in this context, code injection does not necessarily need to be efficient. Most exploits do not require high performance... . The point is that not many apps do the "accept code, compile it, run it" thing, but those that do would be vulnerable.
sleske  2009-12-10 15:37:09
"If Java compilers become exposed as light-weight library services": well, they are already (check out javax.tools.JavaCompiler, http://java.sun.com/javase/6/docs/api/javax/tools/JavaCompiler.html). But again, for code injection to work, the app under attack needs to *use* JavaCompiler, which most fortunately don't.
sleske  2009-12-10 15:41:19
-1 because the discussion of vulnerabilities is rather confused...
sleske  2009-12-10 15:42:12
@sleske - In the third paragraph I say "But it rarely crops up as an idea amongst Java programmers. So that's the reason it isn't much of a concern." So I already make the point you make in two of your comments. And in your comment about performance being irrelevant, I think you're confused about the problem - apps don't pass inputs to an interpreter/compiler in order to enable exploits. They do it typically to inject values via string concatenation. And they will very likely have limits on how slow or heavyweight this can be before they consider a simpler solution.
Daniel Earwicker  2009-12-10 16:53:42
+10  A: 

A java program itself is pretty much not vulnerable to code injection. However, all the native code that supports the app is vulnerable to all the different kinds of code injection - this includes the JVM and all native code parts in the app or its libraries.

Also, there are a few more things to consider:

Anything where java is used as a gateway to other systems is possible:

SQL Injection

XSS (which is in the end nothing more than JavaScript Injection)

If the java program is itself a interpreter/compiler of some kind, it might be possible to inject code into your interpreted language/compiled program (this includes using your program as a java compiler...)

And of course if you can get the java program to write a file to disk that contains code (be it native, java or something else) you might be able to get it executed by other means (which can be a different vulnerability in your app, the os or another app) - this is not direct code injection but quite similar in effect.

dionadar  2009-12-10 13:33:55
A: 

You can't inject java, but all web applications are vulnerable to XSS if the input is not properly filtered. Also any application that interacts with a sql database can be vulnerable to SQL injection. To avoid this you will want to look into Parameterized Queries.

Jon  2009-12-10 13:34:22
IMHO if you are not using Parameterized queries, you are doing it wrong. It should be really obvious that writing any kind of command by adding strings together is a really stupid idea.
rjmunro  2009-12-10 15:28:20
Stored procedures don't necessarily help agains SQL injection. Sprocs can also do string concatenation to create queries...
sleske  2009-12-10 15:44:10
Good Points, I always write SPs parameterized anyways, I'll update my answer
Jon  2009-12-11 14:53:46
+1  A: 

Unless you are doing weird things on the server (like dynamically generating code, etc), it is impossible to bo vunerable for code injection.

Although I can think of an (ugly) situation where the application dynamically creates a JSP based on user input. That JSP will be translated to Java code, which is being compiled to byte-code by the web container, and then executed. This could introduce an injection point. But generating JSP's dynamically normally doesn't make any sense.

AJK  2009-12-10 13:35:24
+2  A: 

If it was possible, Java would already have been dead for long.

On the other hand, SQL injections are very easy to avoid by using PreparedStatement to store user-controlled input and XSS is also very easy to avoid by using <c:out/> for (re)displaying user-controlled input at the webpage.

BalusC  2009-12-10 13:39:26

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java