CAPEC-242: Code Injection
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
前提条件
- The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Other
说明: Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.
缓解措施
Utilize strict type, character, and encoding enforcement
Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
Perform input validation for all content.
Enforce regular patching of software.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| OWASP Attacks | - | Code Injection |