Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-242:Code Injection
Attack Pattern ID:242
Version:v3.9
Attack Pattern Name:Code Injection
Abstraction:Meta
Status:Stable
Likelihood of Attack:High
Typical Severity:High
DetailsContent HistoryRelated WeaknessesReports
▼Description
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ParentOfS19Embedding Scripts within Scripts
ParentOfS23File Content Injection
ParentOfD41Using Meta-characters in E-mail Headers to Inject Malicious Payloads
ParentOfS63Cross-Site Scripting (XSS)
ParentOfS468Generic Cross-Browser Cross-Domain Theft
CanFollowS234Hijacking a privileged process
Nature: ParentOf
Type: Standard
ID: 19
Name: Embedding Scripts within Scripts
Nature: ParentOf
Type: Standard
ID: 23
Name: File Content Injection
Nature: ParentOf
Type: Detailed
ID: 41
Name: Using Meta-characters in E-mail Headers to Inject Malicious Payloads
Nature: ParentOf
Type: Standard
ID: 63
Name: Cross-Site Scripting (XSS)
Nature: ParentOf
Type: Standard
ID: 468
Name: Generic Cross-Browser Cross-Domain Theft
Nature: CanFollow
Type: Standard
ID: 234
Name: Hijacking a privileged process
▼Execution Flow
▼Prerequisites
The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.
▼Skills Required
▼Resources Required
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityAvailabilityN/AOtherCode Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.
Scope: Confidentiality, Integrity, Availability
Likelihood: N/A
Impact: Other
Note: Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.
▼Mitigations
Utilize strict type, character, and encoding enforcement
Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
Perform input validation for all content.
Enforce regular patching of software.
▼Example Instances
▼Related Weaknesses
IDName
CWE-94Improper Control of Generation of Code ('Code Injection')
ID: CWE-94
Name: Improper Control of Generation of Code ('Code Injection')
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
OWASP AttacksN/ACode Injection
Taxonomy Name: OWASP Attacks
Entry ID: N/A
Entry Name: Code Injection
▼Notes
▼References
Reference ID: REF-612
Title: OWASP Web Security Testing Guide
Author:
Publication:
Publisher:The Open Web Application Security Project (OWASP)
Edition:
URL:https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html
URL Date:
Day:N/A
Month:N/A
Year:N/A
Details not found