CAPEC-242 Metadata
Likelihood of Attack
High
Typical Severity
High
Overview
Summary
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
Prerequisites
The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism.
Potential Solutions / Mitigations
Utilize strict type, character, and encoding enforcement Ensure all input content that is delivered to client is sanitized against an acceptable content specification. Perform input validation for all content. Enforce regular patching of software.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Taxonomy Mappings
Taxonomy: OWASP Attacks
| Entry ID | Entry Name |
|---|---|
| Link | Code Injection |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.