Corgea LogoCorgea Security Hub

CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Learn about CWE-96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')?

• Overview: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') occurs when software accepts input from an external source and fails to adequately sanitize it before embedding it into executable code, such as configuration files or templates, making the code susceptible to unauthorized execution.

• Exploitation Methods:

  • Attackers can inject malicious code via inputs that are improperly sanitized or directly inserted into executable resources.
  • Common attack patterns include injecting code that gets executed in the context of the software, potentially leading to arbitrary code execution or configuration manipulation.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized code execution, data manipulation, and system compromise.
  • Potential cascading effects involve further system breaches, data leaks, and unauthorized access.
  • Business impact can be severe, including financial loss, reputational damage, and legal consequences due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing all inputs, escaping special characters, and using parameterized queries or prepared statements where applicable.
  • Security best practices involve employing a least privilege principle, regular code reviews, and maintaining up-to-date security patches.
  • Recommended tools and frameworks include static code analysis tools, input validation libraries, and using frameworks that inherently provide security features against such vulnerabilities.
Corgea can automatically detect and fix Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: PHP, Perl, Interpreted

Affected Technologies: Not specified

Vulnerable Code Example

PHP Example

// This PHP code dynamically generates a configuration file based on user input without proper sanitization
\$userInput = \$_GET['config']; // User input from a query parameter

// The input is directly written to a configuration file without any checks
file_put_contents('config.php', "<?php\n\\$config = '\$userInput';\n?>");
// This allows an attacker to inject arbitrary PHP code into 'config.php'

How to fix Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')?

To fix this vulnerability, it is crucial to properly sanitize and validate all user inputs before using them in contexts where they can alter executable resources like files or configurations. Specifically:

  1. Sanitize Input: Use functions that escape potentially dangerous characters to neutralize any code directives.
  2. Validate Input: Implement strict validation to ensure that the input conforms to expected formats or values (e.g., using a whitelist).
  3. Use Parameterization: Where possible, use parameterized queries or statements to separate code logic from data.
  4. Avoid Direct File Writes: If possible, avoid directly writing user inputs to executable files. Instead, store configuration data in a safer format like JSON or INI files.
  5. Use a Safe Environment: Consider using a templating engine or other safe methods to handle dynamic content.

Fixed Code Example

// Sanitize and validate user inputs to prevent injection
\$userInput = \$_GET['config']; // User input from a query parameter

// Define a whitelist of valid configuration options
\$validConfigs = ['option1', 'option2', 'option3'];

// Validate the user input against the whitelist
if (in_array(\$userInput, \$validConfigs, true)) {
    // Safely write the sanitized and validated input to the configuration file
    file_put_contents('config.php', "<?php\n\\$config = '".addslashes(\$userInput)."';\n?>");
} else {
    // Handle invalid input scenario
    echo 'Invalid configuration option specified.';
}

Explanation:

  • Input Validation and Whitelisting: We validate the user input against a whitelist of acceptable configuration options. This ensures that only pre-defined configurations are allowed.
  • Sanitization with addslashes(): This function escapes characters that could be used in code injection (like quotes or backslashes) before inserting them into the file.
  • Error Handling: If the user input does not match any of the allowed options, an error message is displayed instead of writing to the configuration file.

By implementing these security practices, we significantly reduce the risk of static code injection vulnerabilities.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') and get remediation guidance

Start for free and no credit card needed.