CAPEC-253: Remote Code Inclusion

Standard Draft

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.

前提条件

Target application server must allow remote files to be included.The malicious file must be placed on the remote machine previously.

缓解措施

Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included.

分类映射

分类名称	条目ID	条目名称
WASC	05	Remote File Inclusion

关键信息

CAPEC ID: CAPEC-253

抽象级别: Standard

状态: Draft

CAPEC-253: Remote Code Inclusion

攻击模式描述

前提条件

缓解措施

分类映射

关键信息

相关攻击模式

相关CWE弱点

CAPEC-253: Remote Code Inclusion

攻击模式描述

前提条件

缓解措施

分类映射

关键信息

相关攻击模式

ChildOf CAPEC-175

CanPrecede CAPEC-664

相关CWE弱点