CAPEC-248 Metadata
Likelihood of Attack
Medium
Typical Severity
High
Overview
Summary
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
Prerequisites
The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed.
Potential Solutions / Mitigations
All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allowlist for input is desired, but if use of a denylist approach is necessary, then focusing on command related terms and delimiters is necessary. Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter. Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
Taxonomy Mappings
Taxonomy: OWASP Attacks
| Entry ID | Entry Name |
|---|---|
| Link | Command Injection |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.