logo

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Common Consequences

Scope: Confidentiality

Impact: Read Files or Directories, Read Application Data

Notes: The injected code could access restricted data / files.

Scope: Access Control

Impact: Bypass Protection Mechanism

Notes: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Notes: Injected code can access resources that the attacker is directly prevented from accessing.

Scope: Integrity, Confidentiality, Availability, Other

Impact: Execute Unauthorized Code or Commands

Notes: Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.

Scope: Non-Repudiation

Impact: Hide Activities

Notes: Often the actions performed by injected control code are unlogged.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free online web security scanner