Is code injection possible in Java?

Question

nowadays you can read much about code injection, exploits, buffer-, stack- and heap-overflows etc. leading to inject and run code. I wonder what of this stuff is relevant for Ja

Answer 1

There are a couple ways in which Java code could be injected into an application such as using the scripting API or dynamic JSP includes.

The code below allows a user to inject arbitrary Javascript into Java's script engine.

import javax.script.*;

public class Example1 {
    public static void main(String[] args) {
        try {
            ScriptEngineManager manager = new ScriptEngineManager();
            ScriptEngine engine = manager.getEngineByName("JavaScript");
            System.out.println(args[0]);
            engine.eval("print('"+ args[0] + "')");
        } catch(Exception e) {
            e.printStackTrace();
        }
    }
}

In this case, the attacker decides to inject code that creates a file on the file system.

hallo'); var fImport = new JavaImporter(java.io.File); with(fImport) { var f = new File('new'); f.createNewFile(); } //

check owasp website for more examples