CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
Last updated
Overview
CAPEC-6 (Argument Injection) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Discovery of potential injection vectors] Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
- Manually cover the application and record the possible places where arguments could be passed into external systems.
- Use a spider, for web applications, to create a list of URLs and associated inputs.
- Step 2Experiment
[1. Attempt variations on argument content] Possibly using an automated tool, the attacker will perform injection variations of the arguments.
- Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
- Use a proxy tool to record results, error messages and/or log if accessible.
- Step 3Exploit
[Abuse of the application] The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
- Manually inject specific payload into targeted argument.
What the attacker needs
Prerequisites
- Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.
- Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.
Skills required
- Medium skill: The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.
Resources required
- Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Consequences
What a successful CAPEC-6 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Modify Data
Affects: Integrity
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-6.
- Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.
- Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.
- Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.
Examples
A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [REF-482]
Frequently asked questions
Common questions about CAPEC-6.
- What is CAPEC-6?
- An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- How does a Argument Injection attack work?
- It typically unfolds over 3 phases. It begins with: [Discovery of potential injection vectors] Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
- How do you prevent CAPEC-6?
- Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.
- What weaknesses does CAPEC-6 target?
- CAPEC-6 exploits 6 CWE weaknesses, including CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')), CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')), CWE-146 (Improper Neutralization of Expression/Command Delimiters), CWE-184 (Incomplete List of Disallowed Inputs).
- How severe is CAPEC-6?
- MITRE rates CAPEC-6 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-6
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.