Home > CAPEC List > CAPEC-242: Code Injection (Version 2.10)  

CAPEC-242: Code Injection

 
Code Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 242
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

+ Attack Prerequisites
  • The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Solutions and Mitigations

Utilize strict type, character, and encoding enforcement

Ensure all input content that is delivered to client is sanitized against an acceptable content specification.

Perform input validation for all content.

Enforce regular patching of software.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
"Varies by context"
Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_SeverityInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017