Code Injection (Timing Attack)


A modern web application will be reliant on several different programming languages. These languages can be broken up in two flavours. These are client-side languages (such as those that run in the browser -- like JavaScript) and server-side languages (which are executed by the server -- like ASP, PHP, JSP, etc.) to form the dynamic pages (client-side code) that are then sent to the client. Because all server-side code should be executed by the server, it should only ever come from a trusted source. Code injection occurs when the server takes untrusted code (ie. from the client) and executes it. Cyber-criminals will abuse this weakness to execute arbitrary code on the server, which could result in complete server compromise. By injecting server-side code that is known to take a specific amount of time to execute, scanner was able to detect time-based code injection. This indicates that proper input sanitisation is not occurring.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Web App ScanningWeb ApplicationsAuthenticated ScanHTTP/HTTPSCode InjectionPlugin IDs: 98122


Code Injection (Timing Attack)

Attack Path Technique Details

Framework: OWASP

Family: Injection

Technique: Code Injection

Sub-Technique: Timing Attack

Platform: Web Application

Products Required: Tenable Web App Scanning

Tenable Release Date: 2022 Q2