CAPEC-15: Command Delimiters
ID
CAPEC-15
Typical Severity
High
Likelihood Of Attack
High
Status
Draft
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Weaknesses
# ID | Name | Type |
---|---|---|
CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | weakness |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | weakness |
CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | weakness |
CWE-138 | Improper Neutralization of Special Elements | weakness |
CWE-140 | Improper Neutralization of Delimiters | weakness |
CWE-146 | Improper Neutralization of Expression/Command Delimiters | weakness |
CWE-154 | Improper Neutralization of Variable Name Delimiters | weakness |
CWE-157 | Failure to Sanitize Paired Delimiters | weakness |
CWE-184 | Incomplete List of Disallowed Inputs | weakness |
CWE-185 | Incorrect Regular Expression | weakness |
CWE-697 | Incorrect Comparison | weakness |