Standardseverity: Very HighDraft

CAPEC-138Reflection Injection

Abstraction
Standard
Status
Draft
Severity
Very High

Description

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.

Related weaknesses· 1

CWE-470

Related attack patterns· 1

CAPEC-137 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')cwe-470100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Code Injection
CAPEC
Object Injection
CAPEC
Argument Injection
CAPEC
Command Injection
CAPEC
Code Inclusion
CAPEC
Reflected XSS
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.