Injection (INJ) Class
We define Injection (INJ) as:
Due to input with language-specific special elements, the software assembles a command
string that is parsed into an invalid construct.
In other words, the command string is interpreted to have unintended, queries, OS commands, markups, scripts, etc.
Fig. 1 depicts INJ causes, attributes and consequences.
Fig 1. Injection (INJ) Class - click on image for detailed view.
The attributes of INJ are:
Language – SQL, Bash, regex, XML/Xpath, PHP, CGI, etc.
This indicates the language in which the command string is interpreted.
Special Element – Query Elements, Header Separators, Scripting Elements, Format Parameters, Path Traversals,
Wildcards, Metacharacters, etc.
These could be assembled with other elements to form malicious structures such as
queries, scripts and commands. Query elements are strings delimiters
“ or words such as
or. Header separators are carriage return/line feed. Scripting elements are
&. Format parameters are such as
%n. Path traversals elements are
\. Metacharacters are back tick (
` ) or
Entry Point – Data Entry Field, Scripting Tag, Markup Tag, Function Call Parameter, Procedure Call
Argument, Program Argument, System Property, Cookie, etc.
This indicates where the input came from.
Invalid Construct – Database Query, OS Command, Regular Expression, Markup, Script, etc.
This indicates what eventually is wrong.
The graph of causes shows that there are two main causes for injection: input not
checked properly or input not sanitized properly.
In the graph of consequences, Arbitrary Code Execution concerns any instructions to the computer – compiled, interpreted by software, executed directly by hardware or combination.
Note that INJ can cause Information Change/Loss. For example, and attacker can inject a command (Add Command) that overwrites a file.
An example of Mask Legitimate Command is inserting “--”, which would comment part of that legitimate command. An example of Mask Legitimate Information is inserting
“or 1==1”, which would change a
password to an expression that returns always
Injection sites are typically not primitive operations in most languages. Sites are
the library or utility functions that accept a command string for actions. In shell
commands, command substitution is invoked with paired back quotes
$(...). Command substitution executes a subshell, which opens the possibility of the string
to be interpreted with all the richness of the command line interpreter.
Related BF Classes
BF classes related to INJ are: ATN, <<content to be added>>.
Related CWEs, SFPs and ST
CWEs related to INJ are: CWE-59, CWE-74, CWE-75, CWE-77, CWE-78, CWE-79, CWE-80, CWE-85, CWE-87, CWE-88, CWE-89, CWE-90, CWE-91, CWE-93, CWE-94, CWE-99, CWE-113, CWE-116, CWE-172, CWE-243, HYPERLINK "https://cwe.mitre.org/data/definitions/564.html" \t "_blank" , CWE-611, CWE-619, CWE-643, CWE-652, CWE-943.
HYPERLINK "https://cwe.mitre.org/data/definitions/395.html" \h CWE-395.
Application examples are provided here.
 Bojanova, I., Black, P. E., Yesha, Y., Wu, Y., The Bugs Framework (BF): A Structured Approach to Express Bugs. 2016 IEEE International Conference on Software Quality, Reliability, and Security
(QRS 2016), Vienna, Austria. August 1-3, 2016.