CAPEC-253

Remote Code Inclusion
Draft
2014-06-23
00h00 +00:00
2021-06-24
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.

Informations CAPEC

Prerequisites

Target application server must allow remote files to be included.The malicious file must be placed on the remote machine previously.

Mitigations

Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included.

Related Weaknesses

CWE-ID Weakness Name

CWE-829

 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

REF-614

OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion.html

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Prerequisites, Description Summary, Related_Weaknesses, Solutions_and_Mitigations
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated References, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Attack_Patterns