LOGBOOK

HELP

1 / 29
Other keys: showSpace: good1-4: rate0: skip5: flag6: invert

Question

What is the conceptual model of an injection attack?

Answer

Untrusted input reaches an interpreter that executes it as code instead of treating it as data.

Injection model: untrusted input crosses a trust boundary into an interpreter that runs it as code.

* The injection model — untrusted input crosses a trust boundary into an interpreter, which executes it as code instead of treating it as data. *

An injection attack crosses a trust boundary — untrusted input reaches an interpreter and gets executed:

  1. Interface allows untrusted input into the system
  2. Untrusted input is forwarded to a subcomponent
  3. Interpreter or parser executes the unintended malicious code

The attack crosses a trust boundary where malicious code embedded in input reaches a component with a command interface and gets executed.

Go deeper:

or press any other key