1 / 29
Other keys: show •
Space: good •
1-4: rate •
0: skip •
5: flag •
6: invert
Question
What is the conceptual model of an injection attack?
Answer
Untrusted input reaches an interpreter that executes it as code instead of treating it as data.
* The injection model — untrusted input crosses a trust boundary into an interpreter, which executes it as code instead of treating it as data. *
An injection attack crosses a trust boundary — untrusted input reaches an interpreter and gets executed:
- Interface allows untrusted input into the system
- Untrusted input is forwarded to a subcomponent
- Interpreter or parser executes the unintended malicious code
The attack crosses a trust boundary where malicious code embedded in input reaches a component with a command interface and gets executed.
Go deeper:
OWASP Top 10 — A03: Injection — injection as untrusted data reaching an interpreter as code.
OWASP Injection Prevention Cheat Sheet — the full injection family and the general defense pattern.
or press any other key
Note saved — thanks!