Prerequisites
The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.
The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed.
Resources Required
None: No specialized resources are required to execute this type of attack.
Related Weaknesses
CWE-ID |
Weakness Name |
|
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Submission
Name |
Organization |
Date |
Date release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
|
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2017-08-04 +00:00 |
Updated Attack_Prerequisites, Description Summary, Resources_Required |
CAPEC Content Team |
The MITRE Corporation |
2019-04-04 +00:00 |
Updated Prerequisites |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Related_Attack_Patterns |
CAPEC Content Team |
The MITRE Corporation |
2023-01-24 +00:00 |
Updated Related_Weaknesses |