Home > CAPEC List > CAPEC-207: Removing Important Client Functionality (Version 3.2)  

CAPEC-207: Removing Important Client Functionality

Attack Pattern ID: 207
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.22Exploiting Trust in Client
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.200Removal of filters: Input filters, output filters, data masking
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.208Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
Explore
  1. Probing: The attacker probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.

    Techniques
    The attacker probes by exploring an application's functionality and its underlying mapping to server-side components.
    The attacker reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.
Experiment
  1. Determine which functionality to disable or remove: The attacker tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.

    Techniques
    The attacker reverse engineers the client-side code to determine which functionality to disable or remove.
Exploit
  1. Disable or remove the critical functionality from the client code: Once the functionality has been determined, the attacker disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.

    Techniques
    The attacker disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
+ Prerequisites
The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.
+ Skills Required
[Level: High]
To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.
[Level: Low]
The attacker installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools.
+ Resources Required
The attacker must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Other
Integrity
Modify Data
Confidentiality
Read Data
Accountability
Authentication
Authorization
Non-Repudiation
Gain Privileges
Access Control
Authorization
Bypass Protection Mechanism
+ Mitigations
Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.
Design: Ship client-side application with integrity checks (code signing) when possible.
Design: Use obfuscation and other techniques to prevent reverse engineering the client code.
+ Example Instances
Attacker reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.
Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks).
Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.
+ References
[REF-75] "Wikipedia". Greasemonkey. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Greasemonkey>.
[REF-76] "Firebug". <http://getfirebug.com/>.
[REF-77] "Mozilla Firefox Add-ons". Greasemonkey. <https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-12-07CAPEC Content TeamThe MITRE Corporation
Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Vulnerabilities
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Consequences, Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2015-12-07Removing Important Functionality from the Client
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019