20Eki
Security category of command injection attacks?
To which (STRIDE/CIA+AAA) security category do command injection attacks belong?
Or is my question too simplistic? Does it depend on the specifics of the injection attack (trying to get at confidential information, trying to cause a denial of service), or should it be thought of as tampering (compromise integrity of user input) or elevation of privilege (having some program (the web server) perform an action with their privileges on your behalf)?