An attacker creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an attacker can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the attacker uses a malicious client, however, the attacker could ignore the server input and declare any total price. Likewise, an attacker could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance.

Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an attacker can exploit.

This attack differs from most other forms of identity spoofing in that the attacker is not attempting to impersonate a specific user or device. Instead, the attacker attempts to impersonate a class of applications, namely the client applications of a service. As such, the attacker is not violating the service's trust in an identity, but its trust in expected behavior.