View Attack Vector

General Information

Java Code Injection

Variants:
Direct Persistent Session

Also Known As:
JSP Code Injection, ScriptEngine Code Injection, Rhino Code Injection - Variation

Vector Type:
Attack

Relevance:
Technology Specific

Layer:
Application-Level

Platforms:
Java, JEE, J2EE, JSP

Target Type:
Application

Affected Mechanisms:
Input Validation, Syntax Escaping

Invented In:
24/09/2009

Added In:
31/12/2014

Vector Operation Method:
Malicious inputs can affect the structure of server-side Java code which is generated dynamically. The injection may affect the application due to classic dynamic code generation issues, or due to the use of a ScriptEngine, such as Rhino, Jython, JRuby or other script engines.

Direct Variant:

Java Injection

Also Known As:
JSP Injection

Typical Severity:
Critical

Resources:

OWASP Attacks

Other I

Other II

Other III

White Papers:

Learn More:

Persistent Variant:

Stored Java Injection

Also Known As:
Persistent Java Injection

Typical Severity:
Critical

Resources:

White Papers:

Learn More:

Session Variant:

JSP Injection via Session Puzzling

Also Known As:
Session JSP Injection

Typical Severity:
Critical

Resources:

White Papers:

Learn More: