What does a code injection attack involve?

• A. The attacker can insert malicious code into a program that is then executed
• B. The attacker can only read files
• C. The attacker can only cause a minimal harmless effect
• D. The attacker can only alter log files

Answer: (A)

Code injection attacks occur when an attacker provides input that is treated as code by the program and is then executed. The vulnerability arises when input is incorporated into commands, queries, or scripts without proper validation, escaping, or parameterization, allowing the attacker to run their own instructions inside the application. For example, injecting malicious SQL into a database query can cause the database to execute unintended commands, or injecting shell commands into a system command can make the operating system run those commands. The defining element is that the injected code is executed, not merely read or stored. Defensive steps include input validation and escaping, using parameterized queries, avoiding dynamic command construction, and applying least-privilege execution to limit what the injected code could achieve.