Is code injection possible in Java?

Question

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Ja

Answer 1

A java program itself is pretty much not vulnerable to code injection. However, all the native code that supports the app is vulnerable to all the different kinds of code injection - this includes the JVM and all native code parts in the app or its libraries.

Also, there are a few more things to consider:

Anything where java is used as a gateway to other systems is possible:

SQL Injection

XSS (which is in the end nothing more than JavaScript Injection)

If the java program is itself a interpreter/compiler of some kind, it might be possible to inject code into your interpreted language/compiled program (this includes using your program as a java compiler...)

And of course if you can get the java program to write a file to disk that contains code (be it native, java or something else) you might be able to get it executed by other means (which can be a different vulnerability in your app, the os or another app) - this is not direct code injection but quite similar in effect.

Answer 2

If the server application creates bytecode at runtime (for example with BCEL or Javassist), and if this creation can be influenced by user input, then a code injection is possible.

However, if you application uses no magic (which should be 99% of all applications), it will not be possible.

Answer 3

There are a couple ways in which Java code could be injected into an application such as using the scripting API or dynamic JSP includes.

The code below allows a user to inject arbitrary Javascript into Java's script engine.

import javax.script.*;

public class Example1 {
    public static void main(String[] args) {
        try {
            ScriptEngineManager manager = new ScriptEngineManager();
            ScriptEngine engine = manager.getEngineByName("JavaScript");
            System.out.println(args[0]);
            engine.eval("print('"+ args[0] + "')");
        } catch(Exception e) {
            e.printStackTrace();
        }
    }
}

In this case, the attacker decides to inject code that creates a file on the file system.

hallo'); var fImport = new JavaImporter(java.io.File); with(fImport) { var f = new File('new'); f.createNewFile(); } //

check owasp website for more examples

Answer 4

If it was possible, Java would already have been dead for long.

On the other hand, SQL injections are very easy to avoid by using PreparedStatement to store user-controlled input and XSS is also very easy to avoid by using <c:out/> for (re)displaying user-controlled input at the webpage.

Answer 5

Unless you are doing weird things on the server (like dynamically generating code, etc), it is impossible to bo vunerable for code injection.

Although I can think of an (ugly) situation where the application dynamically creates a JSP based on user input. That JSP will be translated to Java code, which is being compiled to byte-code by the web container, and then executed. This could introduce an injection point. But generating JSP's dynamically normally doesn't make any sense.

Answer 6

You can't inject java, but all web applications are vulnerable to XSS if the input is not properly filtered. Also any application that interacts with a sql database can be vulnerable to SQL injection. To avoid this you will want to look into Parameterized Queries.