Server Side Code Injection

Server-side code injection occurs when an application incorporates user-controllable data into a string that is dynamically evaluated by a server-side code interpreter such as PHP’s eval() or ASP’s Execute(). If user input is not strictly validated, an attacker can craft input that modifies the intended code logic and injects arbitrary instructions that the server will execute. This vulnerability affects any server-side language that supports dynamic code evaluation from string input, with PHP and ASP being the most commonly exploited targets.

Successful exploitation of server-side code injection typically leads to complete compromise of the application’s data and functionality, and often of the underlying server itself. An attacker can read or modify sensitive data, execute operating system commands, install backdoors, or pivot to attack other systems on the internal network. Because the injected code runs with the same privileges as the application, the impact is immediate and severe, making this one of the highest-risk vulnerability classes.

Avoid using functions that dynamically evaluate strings as code, such as eval(), Execute(), exec(), system(), passthru(), or shell_exec(). Replace dynamic code evaluation with safer alternatives that accomplish the same logic without interpreting arbitrary input as executable code.

If dynamic evaluation cannot be entirely removed, apply strict input validation using allowlists that permit only expected characters and values. Reject any input that does not match the expected format rather than attempting to sanitize malicious patterns.

Apply the principle of least privilege to the application process so that, even if code injection occurs, the attacker’s ability to affect the underlying system is limited. Disable unnecessary dangerous functions in the server configuration when possible.