Home > CAPEC List > CAPEC-175: Code Inclusion (Version 2.10)  

CAPEC-175: Code Inclusion

Code Inclusion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 175
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

+ Attack Prerequisites
  • The target application must include external code/libraries that are executed when the application runs and the adversary must be able to influence the specific files that get included.

  • The victim must run the targeted application, possibly using the crafted parameters that the adversary uses to identify the code to include.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Examples-Instances


One example of this type of attack pattern is PHP file include attacks where the parameter of an include() function is set by a variable that an attacker is able to control. The result is that arbitrary code could be loaded into the PHP application and executed.

+ Resources Required

The adversary may need the capability to host code modules if they wish their own code files to be included.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Activation_Zone, Attack_Prerequisites, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_ExploitInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017