Home > CAPEC List > CAPEC-240: Resource Injection (Version 2.10)  

CAPEC-240: Resource Injection

 
Resource Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 240
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

+ Attack Prerequisites
  • The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Solutions and Mitigations

Ensure all input content that is delivered to client is sanitized against an acceptable content specification.

Perform input validation for all content.

Enforce regular patching of software.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Read files or directories
Integrity
Modify application data
Modify files or directories
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Description, Description SummaryInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_SeverityInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017