CAPEC-6
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Descriptions CAPEC
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
Informations CAPEC
Execution Flow
1) Explore
[Discovery of potential injection vectors] Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
Technique
- Manually cover the application and record the possible places where arguments could be passed into external systems.
- Use a spider, for web applications, to create a list of URLs and associated inputs.
2) Experiment
[1. Attempt variations on argument content] Possibly using an automated tool, the attacker will perform injection variations of the arguments.
Technique
- Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
- Use a proxy tool to record results, error messages and/or log if accessible.
3) Exploit
[Abuse of the application] The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
Technique
- Manually inject specific payload into targeted argument.
Prerequisites
Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.
Skills Required
The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.Resources Required
Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.Mitigations
Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.
Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.
Related Weaknesses
| Weakness Name | |
|---|---|
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
CWE-146 |
Improper Neutralization of Expression/Command Delimiters The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
CWE-184 |
Incomplete List of Disallowed Inputs The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
CWE-185 |
Incorrect Regular Expression The product specifies a regular expression in a way that causes data to be improperly matched or compared. |
CWE-697 |
Incorrect Comparison The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
References
REF-1
Exploiting Software: How to Break CodeG. Hoglund, G. McGraw.
REF-482
Java Web Start argument injection vulnerabilityJouko Pynnonen.
http://www.securityfocus.com/archive/1/393696
Submission
| Name | Organization | Date | Date release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Example_Instances | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses |
2025©
tesweb SA
