Home > CAPEC List > CAPEC-212: Functionality Misuse (Version 2.10)  

CAPEC-212: Functionality Misuse

Functionality Misuse
Definition in a New Window Definition in a New Window
Attack Pattern ID: 212
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.

+ Attack Prerequisites
  • The adversary has the capability to interact with the application directly.

    The target system does not adequately implement safeguards to prevent misuse of authorized actions/processes.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

+ Solutions and Mitigations

Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.

When implementing security features, consider how they can be misused and compromised.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Gain privileges / assume identity
A successful attack of this kind can compromise the confidentiality of an authorized user's credentials.
"Varies by context"
Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Description Summary, Typical_Likelihood_of_Exploit, Typical_SeverityInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Solutions_and_MitigationsInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017