Reflection Injection

According to OWASP, reflection injection problems are a subset of injection problem, in which external input is used to construct a string value passed to class reflection APIs. By manipulating the value an attacker can cause unexpected classes to be loaded, or change what method or fields are accessed on an object. They give the following example:

The following Java code dynamically loads a connection class to be used for transferring data:

// connType is a String read from an external source
Class connClass = Class.forName(connType);
HttpURLConnection conn = (HttpURLConnection)connClass.newInstance();
conn.connect();

Suppose this application normally passed "javax.net.ssl.HttpsUrlConnection". This would provide an HTTPS connection using SSL to protect the transferred data. If an attacker replaced the connType string with "java.net.HttpURLConnection" then all data transfers performed by this code would happened over an un-encrypted HTTP connection instead. Interesting, I was not aware of this attack vector. Does anyone have any experience with this sort of thing? Here are some additional examples from OWASP:

In C/C++:

unsigned char *simple_digest(char *alg,char *buf,unsigned int len, int *olen) {
       const EVP_MD *m;
       EVP_MD_CTX ctx;
       unsigned char *ret;

       OpenSSL_add_all_digests();
       if (!(m = EVP_get_digestbyname(alg)))
               return NULL;
       if (!(ret = (unsigned char*)malloc(EVP_MAX_MD_SIZE)))
               return NULL;
       EVP_DigestInit(&ctx, m);
       EVP_DigestUpdate(&ctx,buf,len);
       EVP_DigestFinal(&ctx,ret,olen);
       return ret;
}

unsigned char *generate_password_and_cmd(char *password_and_cmd){
       simple_digest("sha1",password,strlen(password_and_cmd)...);
}

In Java:

String command = new String("some cmd to execute & the password")
MessageDigest encer = MessageDigest.getInstance("SHA");
encer.update(command.getBytes("UTF-8"));
byte[] digest = encer.digest();