Home > CAPEC List > CAPEC-113: API Manipulation (Version 2.11)  

CAPEC-113: API Manipulation

 
API Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 113
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API. API manipulation can take on a number of forms including forcing the unexpected use of an API, or the use of an API in an unintended way. For example, an adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.

+ Attack Prerequisites
  • The target system must expose API functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.

+ Typical Severity

Medium

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Resources Required

The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Attack_Prerequisites, Description Summary, Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Typical_Likelihood_of_ExploitInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07API Abuse/Misuse

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017