CAPEC - CAPEC-152: Injection (Injecting Control Plane content through the Data Plane) (Release 1.4)

Home > CAPEC List > CAPEC-152: Injection (Injecting Control Plane content through the Data Plane) (Release 1.4)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List

News & Events
Calendar
Free Newsletter

Contact Us
Search the Site

CAPEC-152: Injection (Injecting Control Plane content through the Data Plane)

Injection (Injecting Control Plane content through the Data Plane)

Category ID: 152

Status: Draft

Description

Summary

An attacker is able to control or disrupt the behavior of an target through crafted input data submitted using an interface functioning to process data input. This happens when the attacker adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. This attack differs from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.

Attack Prerequisites

The target application must accept input from the user. In virtually all cases, this must be string input.

The attacker must fail to adequately filter the user input against the insertion of instructions to the input interpreter.

Resources Required

No special resources are required for most variants of this attack.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
MemberOf	View	1000	Mechanism of Attack	Mechanism of Attack1000
ParentOf	Category	253	Remote Code Inclusion	Mechanism of Attack1000
ParentOf	Attack Pattern	5	Analog In-band Switching Signals (aka Blue Boxing)	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	66	SQL Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	134	Email Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	135	Format String Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	136	LDAP Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	137	Parameter Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	138	Reflection Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	175	Code Inclusion	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	240	Resource Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	242	Script Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	248	Command Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	249	Character Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	250	XML Injection	Mechanism of Attack (primary)1000
ParentOf	Attack Pattern	254	DTD Injection in a SOAP Message	Mechanism of Attack (primary)1000

Page Last Updated: September 23, 2009


	CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Vision and Technical Leadership provided by Cigital, Inc. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us