Dark Mode
Capec-6 Detail
Argument Injection
Standard Software Likelihood: High Typical Severity: High
Parents: 137
Threats: T290
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-6 | capec | https://capec.mitre.org/data/definitions/6.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-146 | cwe | http://cwe.mitre.org/data/definitions/146.html | |
| CWE-184 | cwe | http://cwe.mitre.org/data/definitions/184.html | |
| CWE-78 | cwe | http://cwe.mitre.org/data/definitions/78.html | |
| CWE-185 | cwe | http://cwe.mitre.org/data/definitions/185.html | |
| CWE-697 | cwe | http://cwe.mitre.org/data/definitions/697.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley | |
| REF-482 | reference_from_CAPEC | http://www.securityfocus.com/archive/1/393696 | Jouko Pynnonen, Java Web Start argument injection vulnerability |
Explore
-
Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
| Techniques |
|---|
| Manually cover the application and record the possible places where arguments could be passed into external systems. |
| Use a spider, for web applications, to create a list of URLs and associated inputs. |
Experiment
-
1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.
| Techniques |
|---|
| Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure). |
| Use a proxy tool to record results, error messages and/or log if accessible. |
Exploit
-
Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
| Techniques |
|---|
| Manually inject specific payload into targeted argument. |
- Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.
- Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.
- Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
| Medium |
|---|
| The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output. |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Gain Privileges | Gain Privileges | Gain Privileges |
| Read Data |
- A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [REF-482]