Is code injection possible in Java?

c0d3x picture c0d3x · Dec 10, 2009 · Viewed 24.6k times · Source

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Java.

I know, there are no pointers in the Java language. But doesn't the JVM organize data in heaps and / or stacks? I know there is no eval function (like in PHP) so you cant easily use an input as Java-code. I am not so sure whats going on on bytecode level.

I think XSS is possible, for example in an Java EE application, when no inputs are filtered. But isn't this more a JavaScript injection, because the injected code runs in the browser and not in the JVM?

So which code injections are possible with java and which are not? And is this true for other Java platform languages, too?

Thanks in advance.

Answer

gha.st picture gha.st · Dec 10, 2009

A java program itself is pretty much not vulnerable to code injection. However, all the native code that supports the app is vulnerable to all the different kinds of code injection - this includes the JVM and all native code parts in the app or its libraries.

Also, there are a few more things to consider:

Anything where java is used as a gateway to other systems is possible:

SQL Injection

XSS (which is in the end nothing more than JavaScript Injection)

If the java program is itself a interpreter/compiler of some kind, it might be possible to inject code into your interpreted language/compiled program (this includes using your program as a java compiler...)

And of course if you can get the java program to write a file to disk that contains code (be it native, java or something else) you might be able to get it executed by other means (which can be a different vulnerability in your app, the os or another app) - this is not direct code injection but quite similar in effect.