[Identify web application URL inputs] Review application inputs to find those that are designed to be URLs.
[Identify URL inputs allowing local access.] Execute test local commands via each URL input to determine which are successful.
[Execute malicious commands] Using the identified URL inputs that allow local command execution, execute malicious commands.
Weakness Name | |
---|---|
CWE-241 |
Improper Handling of Unexpected Data Type The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
CWE-706 |
Use of Incorrectly-Resolved Name or Reference The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Name | Organization | Date | Date release |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation |
Name | Organization | Date | Comment |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
CAPEC Content Team | The MITRE Corporation | Updated Attack_Phases, Description, Description Summary, References | |
CAPEC Content Team | The MITRE Corporation | Updated Attack_Phases | |
CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
CAPEC Content Team | The MITRE Corporation | Updated @Abstraction | |
CAPEC Content Team | The MITRE Corporation | Updated Example_Instances |