Code injection is an attack that introduces malicious code into a vulnerable application to compromise the security of that application. This is made possible by weak or completely absent input processing routines in the app. Injection attacks enable you to compromise an app in many ways, including:

  • Causing a denial of service (DoS) of the app.
  • Escalating access privileges in the app.
  • Exposing and exfiltrating sensitive data in databases such as user credentials and PII.
  • Installing malicious software on the server hosting the app.
  • Defacing a website.

The mechanisms and outcomes of a code injection attack will depend on the language that your malicious code is written in. Since, in a code injection attack, you're not introducing new runtime environments for the server to execute, you'll be restricted to whatever languages the underlying web app technology supports. In other words, you are adding to the app's execution, not creating new execution.

A similar concept is command injection, in which you supply malicious input to the web server, which then passes this input to a system shell for execution. In this sense, command injection does create new instances of execution and can therefore leverage languages that the web app does not directly support (e.g., Bash scripting).

In the following example, a PHP module named delete_file.php passes in user-supplied input and calls a Linux system shell to delete whatever was specified in the input:

<?php $file=$_GET['file_name']; system('rm $file'); ?>

By submitting the following request, you can successfully enumerate the system's user accounts:


This is because adding a semicolon at the end of the request will execute the command after the semicolon in the system shell. Note that %20 is the encoded version of a space, as URLs cannot contain spaces.