rspec/rules/S6680/impact.adoc

=== What is the potential impact?
After discovering the injection point, attackers insert data into the
vulnerable field to either make the affected component inaccessible, attempt a
malfunction, or read from an artifact that exceeds the developer's intended
boundaries.

In languages that don't enforce memory access checks, this can also lead to a
buffer overflow or underflow which may result in sensitive information
disclosure or remote code execution.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the vulnerability.

==== Self Denial of service

If the component affected by this vulnerability is not a bottleneck that
acts as a single point of failure (SPOF) within the application, the denial of
service might only affect the attacker who initiated it.

Even if the denial of service has little direct impact, it can cause secondary
effects in architectures that use containers and container orchestrators. It
could cause unexpected container failures or resource overconsumption,
for example.

==== Infrastructure SPOFs

A denial of service attack can be critical to the enterprise if it
targets a SPOF component. Sometimes the SPOF is a software architecture
vulnerability (such as a single component on which multiple critical components
depend) or an operational vulnerability (for example, insufficient container
creation capabilities or failures from containers to terminate).

In either case, attackers aim to exploit the infrastructure weakness by sending
as many malicious payloads as possible, using potentially huge offensive
infrastructures.

These threats are particularly insidious if the attacked organization does not
maintain a disaster recovery plan (DRP).
Create rule S6680: Loop boundaries should not be vulnerable to injection attacks (#3140) 2023-09-28 09:10:12 +02:00			`=== What is the potential impact?`
			`After discovering the injection point, attackers insert data into the`
			`vulnerable field to either make the affected component inaccessible, attempt a`
			`malfunction, or read from an artifact that exceeds the developer's intended`
			`boundaries.`

			`In languages that don't enforce memory access checks, this can also lead to a`
			`buffer overflow or underflow which may result in sensitive information`
			`disclosure or remote code execution.`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting the vulnerability.`

			`==== Self Denial of service`

			`If the component affected by this vulnerability is not a bottleneck that`
			`acts as a single point of failure (SPOF) within the application, the denial of`
			`service might only affect the attacker who initiated it.`

			`Even if the denial of service has little direct impact, it can cause secondary`
			`effects in architectures that use containers and container orchestrators. It`
			`could cause unexpected container failures or resource overconsumption,`
			`for example.`

			`==== Infrastructure SPOFs`

			`A denial of service attack can be critical to the enterprise if it`
			`targets a SPOF component. Sometimes the SPOF is a software architecture`
			`vulnerability (such as a single component on which multiple critical components`
			`depend) or an operational vulnerability (for example, insufficient container`
			`creation capabilities or failures from containers to terminate).`

			`In either case, attackers aim to exploit the infrastructure weakness by sending`
			`as many malicious payloads as possible, using potentially huge offensive`
			`infrastructures.`

			`These threats are particularly insidious if the attacked organization does not`
			`maintain a disaster recovery plan (DRP).`