CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
Last updated
Overview
CAPEC-650 (Upload a Web Shell to a Web Server) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The web server is susceptible to one of the various web application exploits that allows for uploading a shell file.
Consequences
What a successful CAPEC-650 attack can achieve.
Read Data
Affects: Confidentiality
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
How to mitigate it
Defenses that reduce the risk of CAPEC-650.
- Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.
- Ensure that the file permissions in directories on the web server from which files can be execute is set to the "least privilege" settings, and that those directories contents is controlled by an allowlist.
Terminology & mappings
Mapped taxonomies
- ATTACK: Server Software Component:Web Shell (1505.003)
Frequently asked questions
Common questions about CAPEC-650.
- What is CAPEC-650?
- By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
- How do you prevent CAPEC-650?
- Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.
- What weaknesses does CAPEC-650 target?
- CAPEC-650 exploits 2 CWE weaknesses, including CWE-287 (Improper Authentication), CWE-553 (Command Shell in Externally Accessible Directory).
- How severe is CAPEC-650?
- MITRE rates CAPEC-650 as High severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-650
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.