New to CAPEC? Start Here
Home > CAPEC List > CAPEC-242: Code Injection (Version 3.9)  

CAPEC-242: Code Injection

Attack Pattern ID: 242
Abstraction: Meta
View customized information:
+ Description
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.19Embedding Scripts within Scripts
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.23File Content Injection
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.41Using Meta-characters in E-mail Headers to Inject Malicious Payloads
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.63Cross-Site Scripting (XSS)
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.468Generic Cross-Browser Cross-Domain Theft
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.234Hijacking a privileged process
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Integrity
Availability
Other
+ Mitigations
Utilize strict type, character, and encoding enforcement
Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
Perform input validation for all content.
Enforce regular patching of software.
+ Taxonomy Mappings
Relevant to the OWASP taxonomy mapping
Entry Name
Code Injection
+ References
[REF-612] "OWASP Web Security Testing Guide". Testing for Code Injection. The Open Web Application Security Project (OWASP). <https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01
(Version 2.10)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated References, Taxonomy_Mappings
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018