A resource injection issue occurs when the following two conditions are met:
This may enable an attacker to access or modify otherwise protected system resources.
Portée | Impact | Probabilité |
---|---|---|
Confidentiality Integrity | Read Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories Note: An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information. |
Références | Description |
---|---|
CVE-2013-4787 | chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive. |
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, it can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-ID | Nom du modèle d'attaque |
---|---|
CAPEC-10 | Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. |
CAPEC-240 | Resource Injection An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource. |
CAPEC-75 | Manipulating Writeable Configuration Files Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users. |
Nom | Organisation | Date | Date de publication | Version |
---|---|---|---|---|
7 Pernicious Kingdoms | Draft 3 |
Nom | Organisation | Date | Commentaire |
---|---|---|---|
Eric Dalci | Cigital | updated Time_of_Introduction | |
KDM Analytics | added/updated white box definitions | ||
CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities | |
CWE Content Team | MITRE | updated Description, Name | |
KDM Analytics | Improved the White_Box_Definition | ||
CWE Content Team | MITRE | updated White_Box_Definitions | |
CWE Content Team | MITRE | updated Common_Consequences, Other_Notes | |
CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Alternate_Terms, Description, Relationship_Notes, Relationships | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions | |
CWE Content Team | MITRE | updated References, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Other_Notes, Potential_Mitigations, References, Relationships, Type | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes | |
CWE Content Team | MITRE | updated Observed_Examples |