An attacker searches a targeted web site for web services that have not
been publicized. Generally this involves mapping the published web site by
spidering through all the published links and then attempt to access
well-known debugging or logging services, or otherwise predictable services
within the site tree. This attack can be especially dangerous since
unpublished but available services may not have adequate security controls
placed upon them given that an administrator may believe they are
unreachable.
Attack Prerequisites
The targeted web site must include unpublished services within its web
tree. The nature of these services determines the severity of this
attack.
Resources Required
Spidering tools to explore the target web site are extremely useful in this
attack especially when attacking large sites. Some tools might also be able to
automatically construct common service queries from known paths.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
