[Owasp-leaders] Function Injection Page Added

Fady Othman fady.othman at owasp.org
Thu Sep 1 21:12:50 UTC 2016

Hi Dave,

You're probably right it's more of a limited version of code injection
since only one function can be executed and in some cases without
parameters and it's different than command injection in the fact that it's
not limited to that which means if you can't inject a parameter may be you
can call a dangerous user defined function.

I didn't hear about this bug until I came across it when I was scanning the
code with "rips" (the old free version) and the tool simply caught a
vulnerability and reported it as "function injection".

Actually, the reason I added this page was because it's overlooked in code
reviews and because some people asked about a reference and exploit
examples and couldn't find it online.

Another alternative that I thought about was adding the examples to the
code injection page as a variation but then I saw that "blind sql
injection" is in a separate page other than "SQL injection" page which I
like because it highlights "Blind SQL Injection" so I thought that it would
be a good idea to put it in a separate page.

Regarding if it exists in other languages, Probably it does in any language
that allows dynamic function calls but to be honest I only saw real life
examples in PHP but I didn't look for it in other languages.

Thanks for your feedback.

On Thu, Sep 1, 2016 at 9:57 PM, Dave Wichers <dave.wichers at owasp.org> wrote:

> I've never heard of function injection before. How is it different than
> command injection? What CWE would it be associated with? Or is it so new
> there is no CWE? Is this just a PHP problem or is this issue present in
> many other types of technologies?  Are there any papers or other works that
> refer to this term?
> There is another similar article called: https://www.owasp.org/index.
> php/Code_Injection  -   Is it distinct from that as well?
> -Dave
> On Thu, Sep 1, 2016 at 3:39 PM, Fady Othman <fady.othman at owasp.org> wrote:
>> Dears,
>> I just created a new page for "function injection" attacks.
>> Your feedback is highly appreciated.
>> https://www.owasp.org/index.php/Function_Injection
>> Regards,
>> Fady Othman
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160901/9e18ec6d/attachment.html>

More information about the OWASP-Leaders mailing list