CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
- Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
- Common Consequences
Scope: Confidentiality
Impact: Read Files or Directories, Read Application Data
Notes: The injected code could access restricted data / files.
Scope: Access Control
Impact: Bypass Protection Mechanism
Notes: In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: Injected code can access resources that the attacker is directly prevented from accessing.
Scope: Integrity, Confidentiality, Availability, Other
Impact: Execute Unauthorized Code or Commands
Notes: Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Scope: Non-Repudiation
Impact: Hide Activities
Notes: Often the actions performed by injected control code are unlogged.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free online web security scanner