Execution of Untrusted Code vulnerabilities occur when applications accept, process, or execute code or scripts from untrusted or unvalidated sources.
This can lead to serious security issues including unauthorized code execution, memory corruption, and application compromise.
Modern applications—especially those incorporating embedded browsers, dynamic code, or runtime decision-making—must be rigorously tested to prevent these attack vectors.
Execution of Untrusted Code Tests:
WebView Security
Evaluates the security posture of embedded WebViews in applications, ensuring proper isolation and control over content loading, script execution, and interaction with native code.
Exposing External Java Interfaces in WebViews DOM
Tests whether Java objects or native APIs are exposed to WebViews’ JavaScript environment without adequate validation or restrictions, potentially enabling remote code execution.
JavaScript Execution Risks at WebViews
Assesses the risks posed by enabling JavaScript within WebViews, checking for untrusted script execution, XSS vulnerabilities, and unsafe content sources.
Code Signing
Verifies whether application code and updates are digitally signed and validated at runtime, protecting against unauthorized modifications or tampering.
Abusing Dynamic Code Execution Decisions
Identifies if the application makes runtime decisions about which code to execute (e.g., downloading and running scripts or binaries), which could be exploited to execute untrusted code.
Stack-Based Buffer Overflows
Tests for vulnerabilities where an attacker can overwrite parts of the call stack by providing more input than a buffer can handle, potentially leading to arbitrary code execution.
Heap-Based Buffer Overflows
Assesses memory handling in dynamically allocated (heap) memory areas, ensuring improper input doesn’t overwrite memory and alter application behavior or enable exploits.
Object Lifetime Vulnerabilities (Use-After-Free, Double Free’s)
Tests whether the application properly manages memory allocation and deallocation, preventing access to freed memory (use-after-free) or multiple releases (double free) that can lead to crashes or code execution.
Format String Vulnerabilities
Checks for insecure use of format functions (like printf() in C/C++) where user input can control the format string, potentially reading or writing to arbitrary memory locations.
Integer Overflows
Tests whether arithmetic operations on integers can exceed maximum values, leading to unintended behavior or security bypasses.
Integer Underflows
Assesses whether integer values can be reduced below their minimum limits, potentially causing miscalculations, memory allocation issues, or security flaws.