Home > CAPEC List > CAPEC-152: Injection (Version 2.4)  

CAPEC CATEGORY: Injection

 
Injection
Definition in a New Window Definition in a New Window
Category ID: 152
 
Status: Draft
+ Description

Summary

An attacker is able to control or disrupt the behavior of an target through crafted input data submitted using an interface functioning to process data input. This happens when the attacker adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. This attack differs from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.
+ Attack Prerequisites
  • The target application must accept input from the user. In virtually all cases, this must be string input.

  • The attacker must fail to adequately filter the user input against the insertion of instructions to the input interpreter.

+ Resources Required

No special resources are required for most variants of this attack.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ParentOfAttack PatternAttack Pattern5Analog In-band Switching Signals (aka Blue Boxing)
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern66SQL Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern127Directory Indexing
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern134Email Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern135Format String Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern136LDAP Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern137Parameter Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern138Reflection Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern175Code Inclusion
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern182Flash Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern240Resource Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern242Script Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern248Command Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern249Character Injection
Mechanisms of Attack (primary)1000
ParentOfAttack PatternAttack Pattern250XML Injection
Mechanisms of Attack (primary)1000
ParentOfCategoryCategory253Remote Code Inclusion
Mechanisms of Attack1000
ParentOfAttack PatternAttack Pattern254DTD Injection in a SOAP Message
Mechanisms of Attack (primary)1000
MemberOfViewView1000Mechanisms of Attack
Mechanisms of Attack1000
+ Content History
Previous Entry Names
DatePrevious Entry Name
2014-04-10Injection (Injecting Control Plane content through the Data Plane)

Page Last Updated: April 10, 2014