Dark Mode

Settings

Capec-248 Detail

Command Injection

Meta Software Likelihood: Medium Typical Severity: High

Children: 40 66 88 136 183 250 676

Threats: T254 T255 T256 T259 T268 T290 T298 T299 T300 T303 T312

Description

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

Not present

External ID Source Link Description
CAPEC-248 capec https://capec.mitre.org/data/definitions/248.html
CWE-77 cwe http://cwe.mitre.org/data/definitions/77.html
OWASP Attacks https://owasp.org/www-community/attacks/Command_Injection Command Injection
REF-615 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)

Not present

  1. The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed.

Not present

Not present

Integrity Availability Confidentiality
Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.) Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.) Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)

Not present

We use cookies to ensure you get the best experience on our website.