Home > CAPEC List > CAPEC-179: Calling Micro-Services Directly (Version 2.10)  

CAPEC-179: Calling Micro-Services Directly

 
Calling Micro-Services Directly
Definition in a New Window Definition in a New Window
Attack Pattern ID: 179
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere. However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.

+ Attack Prerequisites
  • The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern.

+ Typical Severity

Medium

+ Resources Required

The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Related_Attack_PatternsInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07Discovering, querying, and finally calling micro-services, such as w/ AJAX
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017