Home > CAPEC List > CAPEC-12: Choosing Message Identifier (Version 2.11)  

CAPEC-12: Choosing Message Identifier

 
Choosing Message Identifier
Definition in a New Window Definition in a New Window
Attack Pattern ID: 12
Abstraction: Standard
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

+ Attack Steps
Explore
  1. Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

Experiment
  1. If required, authenticate to the distribution channel

  2. If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier.

  3. Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

+ Attack Prerequisites
  • Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.

  • Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Very High

+ Examples-Instances

Description

A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.

+ Resources Required

The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.

+ Probing Techniques

Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.

Probing is as simple as changing this value and watching its effect.

+ Solutions and Mitigations

Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.

The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.

Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: LowAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Description SummaryInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07Choosing a Message/Channel Identifier on a Public/Multicast Channel

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017