An attacker uses well-formed requests to an application,
service, or device that results in the inadvertant disclosure of sensitive
information by exploiting weaknesses in the design or configuration of the
target resulting in the target revealing more information to an attacker than
intended. The attacker may collect this information through a variety of methods
including active querying as well as passive observation. Information may
include details regarding the configuration or capabilities of the target, clues
as to the timing or nature of activities, or otherwise sensitive information.
Often this sort of attack is undertaken in preparation for some other type of
attack, although the collection of information may be the end goal of the
attacker in some cases. Information retrieved may aid the attacker in making
inferences about potential weaknesses, vulnerabilities, or techniques that
assist the attacker's objectives. Data leaks may come various forms, including
confidential information stored in inscure directories, or via services that
provide rich error or diagnostic messages in response to normal
queries.
The target must have some piece of sensitive information that can
collected by an attacker.
Resources Required
The attacker must have tools to collect the information from the target. This
requires a client capable of interacting with the target. For web applications,
a web browser or tools such as MITM (Man-In-the-Middle) Proxy.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
