Code injection (timing attack)

High Web Application Scanning Plugin ID 98122


Code injection (timing attack)


A modern web application will be reliant on several different programming languages.
These languages can be broken up in two flavours. These are client-side languages (such as those that run in the browser -- like JavaScript) and server-side languages (which are executed by the server -- like ASP, PHP, JSP, etc.) to form the dynamic pages (client-side code) that are then sent to the client.
Because all server-side code should be executed by the server, it should only ever come from a trusted source.
Code injection occurs when the server takes untrusted code (ie. from the client) and executes it.
Cyber-criminals will abuse this weakness to execute arbitrary code on the server, which could result in complete server compromise.
By injecting server-side code that is known to take a specific amount of time to execute, scanner was able to detect time-based code injection. This indicates that proper input sanitisation is not occurring.


It is recommended that untrusted input is never processed as server-side code.
To validate input, the application should ensure that the supplied value contains only the data that are required to perform the relevant action.
For example, where a username is required, then no non-alpha characters should not be accepted.

See Also

Plugin Details

Severity: High

ID: 98122

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: High

Reference Information

CWE: 94

WASC: OS Commanding

OWASP: 2017-A1, 2013-A1