CAPEC-6: Argument Injection

Description

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-137: Parameter Injection Parameter Injection

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-146: Improper Neutralization of Expression/Command Delimiters

CWE-184: Incomplete List of Disallowed Inputs

CWE-185: Incorrect Regular Expression

CWE-697: Incorrect Comparison

Visit http://capec.mitre.org/ for more details.