CAPEC-175: Code Inclusion

Description

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

Extended Description

These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document.

The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.

Severity :

Very High

Possibility :

Medium

Type :

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-234: Hijacking a privileged process Hijacking a privileged process CAPEC-251: Local Code Inclusion Local Code Inclusion CAPEC-253: Remote Code Inclusion Remote Code Inclusion

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The target application must include external code/libraries that are executed when the application runs and the adversary must be able to influence the specific files that get included.
The victim must run the targeted application, possibly using the crafted parameters that the adversary uses to identify the code to include.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

The adversary may need the capability to host code modules if they wish their own code files to be included.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Visit http://capec.mitre.org/ for more details.