CAPEC-240: Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.
Last updated
Overview
CAPEC-240 (Resource Injection) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)
Consequences
What a successful CAPEC-240 attack can achieve.
Read Data
Affects: Confidentiality
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-240.
- Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
- Perform input validation for all content.
- Enforce regular patching of software.
Terminology & mappings
Mapped taxonomies
- OWASP Attacks: Resource Injection
Frequently asked questions
Common questions about CAPEC-240.
- What is CAPEC-240?
- An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.
- How do you prevent CAPEC-240?
- Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
- What weaknesses does CAPEC-240 target?
- CAPEC-240 exploits 1 CWE weakness, including CWE-99 (Improper Control of Resource Identifiers ('Resource Injection')).
- How severe is CAPEC-240?
- MITRE rates CAPEC-240 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-240
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.