Injection (INJ) Class
Due to input with language-specific special elements, the software assembles a command string that is parsed into an invalid construct.
In other words, the command string is interpreted to have unintended commands, elements or other structures.
The causes, attributes and consequences of the Injection (INJ) class are depicted and explained below.
Injection (INJ) class - click on image for detailed view.
- Language - SQL, Bash, regex, XML/Xpath, PHP, CGI, etc. This indicates the language in which the command string is interpreted.
- Special Element - Query Elements, Header Separators, Scripting Elements, Format Parameters, Path Traversals, Wildcards, Metacharacters. These could be assembled with other elements to form malicious structures such as queries, scripts and commands. Query elements are strings delimiters ‘ or “ or words such as ‘and’ or ‘or’. Header separators are carriage return/line feed. Scripting elements are < or > or &. Format parameters are such as %c or %n. Path traversals elements are .. or \. Metacharacters are back tick ( ` ) or $ or &.
- Entry Point - Data Entry Field, Scripting Tag, Markup Tag, Function Call Parameter, Procedure Call Argument, Program Argument, System Property, Cookie. This indicates where the input came from.
- Invalid Construct - Database Query, Command, Regular Expression, Markup, Script, etc. This indicates what eventually is wrong.
The graph of causes shows that there are two main causes for injection: input not checked properly or input not sanitized properly.
The graph of consequences shows what could happen due to the fault. Note that in the graph of consequences, "Arbitrary Code Execution" concerns any instructions to the computer - compiled, interpreted by software, executed directly by hardware or combination. Note that the ACI cluster of Consequences is the same in all classes where it appears.
Injection sites are typically not primitive operations in most languages. Sites are the library or utility functions that accept a command string for actions. In shell commands, command substitution is invoked with paired back quotes (`...`) or $(...). Command substitution executes a subshell, which opens the possibility of the string to be interpreted with all the richness of the command line interpreter.
Related CWEs, SFPs and ST
- CWEs related to INJ are
Application examples are provided here.