software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

PL or SQL : Undocumented feature: dead code

Classification

OWASP ASVS Malicious Code PCI DSS 4.0 2.2.4 CWE CWE-561

Overview

The application contains dead code, i.e. code that does not affect the application work. Dead code includes unreachable code (can not be executed) and useless code (the result of the execution is not used). Compilers and development environments can detect and delete dead code; its presence in the final version of the application indicates a deliberate injection.

A developer can use dead code to hide the application implementation details. This shading transformation increases code entropy and complicates the analysis of the used algorithms. In particular, unreachable incorrect code does not cause errors when the program is running, but when trying to reverse-engineer, it confuses disassembler or decompiler.

Dead code may implement a backdoor, which is activated, for example, by the special values of the request parameters. Backdoor code may be distributed across multiple files.

References

  1. CWE-561: Dead Code
  2. Wikipedia: Dead Code

See also

PL or SQL : SQL injection
PL or SQL : Cookie: transmission not over SSL
PL or SQL : Cookie: long expiration time