Injection (Injecting Control Plane content through the Data Plane) |
Category ID: 152 | Status: Draft |
Summary
An attacker is able to control or disrupt the behavior of an target through crafted input data submitted using an interface functioning to process data input. This happens when the attacker adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. This attack differs from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.
The target application must accept input from the user. In virtually all cases, this must be string input.
The attacker must fail to adequately filter the user input against the insertion of instructions to the input interpreter.
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ParentOf | Attack Pattern | 5 | Analog In-band Switching Signals (aka Blue Boxing) | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 66 | SQL Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 134 | Email Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 135 | Format String Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 136 | LDAP Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 137 | Parameter Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 138 | Reflection Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 175 | Code Inclusion | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 240 | Resource Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 242 | Script Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 248 | Command Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 249 | Character Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 250 | XML Injection | Mechanism of Attack (primary)1000 | |
ParentOf | Category | 253 | Remote Code Inclusion | Mechanism of Attack1000 | |
ParentOf | Attack Pattern | 254 | DTD Injection in a SOAP Message | Mechanism of Attack (primary)1000 | |
MemberOf | View | 1000 | Mechanism of Attack | Mechanism of Attack1000 |