Home > CAPEC List > CAPEC-121: Exploit Test APIs (Version 2.11)  

CAPEC-121: Exploit Test APIs

 
Exploit Test APIs
Definition in a New Window Definition in a New Window
Attack Pattern ID: 121
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target.

+ Attack Prerequisites
  • The target must have installed test APIs and failed to secure or remove them when brought into a production environment.

+ Typical Severity

High

+ Resources Required

For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Previous Entry Names
DatePrevious Entry Name
2015-12-07Locate and Exploit Test APIs

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017