IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [code-execution]

The process of executing code, either maliciously or not, on a system or device. The term is often used when talking about code injection vulnerabilities.

The process of executing code, either maliciously or not, on a system or device. The term is often used when talking about code injection vulnerabilities

82 questions
2
votes
2 answers

Is it possible to trick a person into going to a website, and running JavaScript, without them knowing? (no iframes)

My website is W. If you make a GET request to my website, it gives you JavaScript, and if you execute the JS, then you do some action (if you are logged in and have a session cookie). Can someone stealthily trick others into executing the JS? They…
quantumtremor
  • 121
  • 3
1
vote
2 answers

Vulnerabilities in Receiving User-Submitted PDF Files Through HTTP(S)

For context; I have a web application that allows users to upload a PDF file from which the web app extracts certain information by parsing it. The app then sends this information to another server for further processing. The web app is based on…
portabletable
  • 13
  • 2
1
vote
0 answers

Attack on a string created by a developer

Go and Java have "compile time constants", and JavaScript will soon get a feature that allows "Distinguishing strings from a trusted developer from strings that may be attacker controlled" via isTemplateObject. These allow the program to check if a…
Craig Francis
  • 111
  • 4
1
vote
1 answer

Why don't computers enforce immutable address spaces for execution?

A piece of malware detects signatures of the sandbox an AV solution tries to use to fingerprint malicious behavior and pretends to be innocent. Once in the real OS environment, it then downloads executable data encoded as image data and decodes the…
john doe
  • 765
  • 1
  • 5
  • 8
1
vote
1 answer

CLI application running user defined command periodically

For a toy CLI application I'm writing, I'd like to store a string with an user defined command that will be executed periodically (like shell -c ). I have seen other applications do this, for example in fzf you can set an environment…
roperzh
  • 113
  • 3
1
vote
1 answer

Wayback machine downloading a file called default.exe?

When I look up a site on wayback machine, I click through a couple of links on the site, and then instead of loading the page, it downloads a file called "default.exe". Since I was expecting a page to load, not an .exe to download, it roused…
stevec
  • 1,214
  • 1
  • 7
  • 16
1
vote
1 answer

Can uncompressing a ZIP/tar.gz/rar/etc file execute some custom code?

So I recently downloaded Tor Browser on my Linux machine and what immediately caught my eye is the fact that after uncompressing the file (I think it was .tar.gz, but the question applies to every compression method) a .desktop file got generated in…
Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
1
vote
1 answer

Build and execute code on a sandboxed environment?

Numerous websites allow us to build and execute C code from web browsers (repl.it, onlinegdb.com, ideone.com...). For my own application (education purposes) I would like to do the same on my web backend. My current solution is to use an Alpine…
nowox
  • 347
  • 2
  • 11
1
vote
0 answers

Process hollowing and the Import Address Table

I have been learning and implementing Process Hollowing attacks, and even after I got the thing work, I have some questions. Why aren't we building the IAT when we load our injected PE? All we do is copy the headers and the sections, fix…
Eran Nahshon
  • 23
  • 4
1
vote
4 answers

Is it possible to detect malicious software just by analyzing the code structure?

I'm a newbie to software security. I'm designing a network and I was wondering is it possible to detect if a program upgrade being downloaded on the network is malicious just by analyzing the structure of the downloaded executable? I tried some…
user1690356
  • 11
  • 2
1
vote
1 answer

Securing Code Secrets - What is the relevance if the host gets compromised?

I've been researching and testing different approaches when it comes to securing code secrets, and am unsure what the best options are, and if they even have any relevance once a host gets compromised. Some standard approaches I've read about…
R. StackUser
  • 135
  • 4
1
vote
1 answer

How much protection does sandbox software provide against malicious .exe?

I need to review a large number of .exe game files. I recently had an incident where I got infected by an .exe that passed all my 'checks': virus scan, Virustotal, reviews, community feedback, uploader history, uploader motive. Lacking any other…
kite
  • 121
  • 3
1
vote
0 answers

Why is digital signature enforcement on webservers not common practice?

Why is it that server admins do not code sign the contents of their webservers (all php, css, js, etc.) and have Apache / NGINX / whatever server software refuse to execute or serve any code / content unless it has been digitally signed by a…
niemiro
  • 162
  • 4
1
vote
2 answers

How can memory problems lead to code execution exploits?

In reports on security exploits/vulnerabilities on desktop applications, I often read that memory problems lead to the execution of malicious code. For example, the description of Internet Explorer vulnerability CVE-2018-8653 says…
cis
  • 255
  • 2
  • 7
1
vote
3 answers

Binary to ASCII encoding for making files non executable

Isn't it a good idea to transfer eg an .wav file, which can carry malware inside (header, data etc.), to ASCII text file via hexdump? I would have achieved a non-executable format. It is still executable with a text editor but the malware can't…
J. Doe
  • 11
  • 2
1 2
3
4 5 6