Home > CAPEC List > CAPEC-121: Exploit Test APIs (Version 3.0)  

CAPEC-121: Exploit Test APIs

Attack Pattern ID: 121
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.113API Manipulation
+ Execution Flow
Explore
  1. Determine Vulnerable API: An adversary explores a target system for sample or test APIs that have not been disabled by a system administrator and which may be exploitable by the adversary. If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

    Techniques
    If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.
Exploit
  1. Leverage Test API to Execute Attacks: Once an adversary has discovered a system with a sample or test API, the API is leveraged to exploit the system and/or conduct various attacks. The adversary can leverage the sample or test API to conduct several types of attacks such as Man-in-the-Middle attacks, keylogging, Cross Site Scripting (XSS), and more.

    Techniques
    The adversary can leverage the sample or test API to conduct several types of attacks such as Man-in-the-Middle attacks, keylogging, Cross Site Scripting (XSS), and more.
+ Prerequisites
The target must have installed test APIs and failed to secure or remove them when brought into a production environment.
+ Resources Required
For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs.
+ Mitigations
Ensure that production systems to not contain sample or test APIs and that these APIs are only used in development environments.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Attack_Phases, Description, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
Previous Entry Names
Change DatePrevious Entry Name
2015-12-07Locate and Exploit Test APIs

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018