CAPEC-240: Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.
Last updated
Overview
CAPEC-240 (Resource Injection) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)
Consequences
What a successful CAPEC-240 attack can achieve.
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-240.
- Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
- Perform input validation for all content.
- Enforce regular patching of software.