Estado de
vulnerabilidad que se crea por métodos de codificación poco seguros, y que
tiene como resultado una validación de entradas inapropiada, que permite a los
atacantes transferir código malicioso al sistema subyacente a través de una
aplicación web. En esta clase de vulnerabilidades se incluye la inyección SQL,
la inyección LDAP y la inyección XPath.
http://es.pcisecuritystandards.org
Vulnerability
that is created from insecure coding techniques resulting in improper input
validation, which allows attackers to relay malicious code through a web
application to the underlying system. This class of vulnerabilities includes
SQL injection, LDAP injection, and XPath injection.
https://www.pcisecuritystandards.org/security_standards/glossary.php
This threat
category includes well-known attack techniques against web applications such as
SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery
(CSRF), Remote File Inclusion (RFI) etc. The adversaries placing such attacks
try to extract data, steal Responding to the Evolving Threat Environment credentials,
take control of the targeted webserver or promote their malicious activities by
exploiting vulnerabilities of web applications.
ENISA Threat
Landscape [Deliverable 2012-09-28]
The software
constructs all or part of a code segment using externally-influenced input from
an upstream component, but it does not neutralize or incorrectly neutralizes
special elements that could modify the syntax or behavior of the intended code
segment.
When software
allows a user's input to contain code syntax, it might be possible for an
attacker to craft the code in such a way that it will alter the intended
control flow of the software. Such an alteration could lead to arbitrary code
execution.
Injection
problems encompass a wide variety of issues -- all mitigated in very different
ways. For this reason, the most effective way to discuss these weaknesses is to
note the distinct features which classify them as injection weaknesses. The
most important issue to note is that all injection problems share one thing in
common -- i.e., they allow for the injection of control plane data into the
user-controlled data plane. This means that the execution of the process may be
altered by sending code in through legitimate data channels, using no other
mechanism. While buffer overflows, and many other flaws, involve the use of
some further issue to gain execution, injection problems need only for the data
to be parsed. The most classic instantiations of this category of weakness are
SQL injection and format string vulnerabilities.
http://cwe.mitre.org/data/definitions/
Vulnérabilité qui est
créée par des techniques de codage non sécurisées, ce qui provoque la
validation dune entrée incorrecte qui permet aux pirates de relayer des codes
malveillants par une application Web au système sous-jacent. Cette classe de
vulnérabilité comprend les injections SQL, les injections LDAP et les
injections XPath.
http://fr.pcisecuritystandards.org/
Temas relacionados