Estado de
vulnerabilidad que se crea por métodos de codificación poco seguros, y que
tiene como resultado una validación de entradas inapropiada, que permite a los
atacantes transferir código malicioso al sistema subyacente a través de una
aplicación web. En esta clase de vulnerabilidades se incluye la inyección SQL,
la inyección LDAP y la inyección XPath.
http://es.pcisecuritystandards.org
Vulnerability that is
created from insecure coding techniques resulting in improper input validation,
which allows attackers to relay malicious code through a web application to the
underlying system. This class of vulnerabilities includes SQL injection, LDAP
injection, and XPath injection.
https://www.pcisecuritystandards.org/security_standards/glossary.php
This threat category
includes well-known attack techniques against web applications such as SQL
injection (SQLi), cross-site scripting (XSS), cross-site request forgery
(CSRF), Remote File Inclusion (RFI) etc. The adversaries placing such attacks
try to extract data, steal Responding to the Evolving Threat Environment credentials,
take control of the targeted webserver or promote their malicious activities by
exploiting vulnerabilities of web applications.
ENISA Threat Landscape
[Deliverable – 2012-09-28]
The software constructs all
or part of a code segment using externally-influenced input from an upstream
component, but it does not neutralize or incorrectly neutralizes special
elements that could modify the syntax or behavior of the intended code segment.
When software allows a
user's input to contain code syntax, it might be possible for an attacker to
craft the code in such a way that it will alter the intended control flow of
the software. Such an alteration could lead to arbitrary code execution.
Injection problems encompass
a wide variety of issues -- all mitigated in very different ways. For this
reason, the most effective way to discuss these weaknesses is to note the
distinct features which classify them as injection weaknesses. The most
important issue to note is that all injection problems share one thing in
common -- i.e., they allow for the injection of control plane data into the
user-controlled data plane. This means that the execution of the process may be
altered by sending code in through legitimate data channels, using no other
mechanism. While buffer overflows, and many other flaws, involve the use of
some further issue to gain execution, injection problems need only for the data
to be parsed. The most classic instantiations of this category of weakness are
SQL injection and format string vulnerabilities.
http://cwe.mitre.org/data/definitions/
Vulnérabilité qui est
créée par des techniques de codage non sécurisées, ce qui provoque la
validation d’une entrée incorrecte qui permet aux pirates de relayer des codes
malveillants par une application Web au système sous-jacent. Cette classe de
vulnérabilité comprend les injections SQL, les injections LDAP et les
injections XPath.
http://fr.pcisecuritystandards.org/