CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
Last updated
Overview
CAPEC-242 (Code Injection) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.
Consequences
What a successful CAPEC-242 attack can achieve.
Other
Affects: Confidentiality, Integrity, Availability
Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.
How to mitigate it
Defenses that reduce the risk of CAPEC-242.
- Utilize strict type, character, and encoding enforcement
- Ensure all input content that is delivered to client is sanitized against an acceptable content specification.
- Perform input validation for all content.
- Enforce regular patching of software.