CAPEC - CAPEC-389: Content Spoofing Via Application API Manipulation (Release 1.7.1)

Home > CAPEC List > CAPEC-389: Content Spoofing Via Application API Manipulation (Release 1.7.1)

CAPEC List
Full CAPEC Dictionary
Methods of Attack View
Reports

About CAPEC
Documents
Resources

Community
Related Activities
Collaboration List
T-Shirt

News & Events
Calendar
Free Newsletter

Compatibility
Program
Requirements
Make a Declaration
Contact Us
Search the Site

CAPEC-389: Content Spoofing Via Application API Manipulation

Content Spoofing Via Application API Manipulation

Attack Pattern ID: 389 (Standard Attack Pattern Completeness: Stub)

Typical Severity: Low

Status: Draft

Description

Summary

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attacker's intent. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system.

Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Application Layer

Target Attack Surface Localities

Client-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: Any

Protocol 1: HTTP

Related Protocol: Internet Protocol
Relationship Type
Uses Protocol

Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol

Attack Prerequisites

Targeted software is utilizing application framework APIs

Resources Required

A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.

Related Weaknesses

CWE-ID	Weakness Name	Weakness Relationship Type
345	Insufficient Verification of Data Authenticity	Targeted
346	Origin Validation Error	Targeted
602	Client-Side Enforcement of Server-Side Security	Secondary
311	Missing Encryption of Sensitive Data	Secondary

Related Attack Patterns

Nature	Type	ID	Name	Description	View(s) this relationship pertains to
ChildOf	Attack Pattern	384	Application API Message Manipulation via Man-in-the-Middle		Mechanism of Attack (primary)1000

References

Tom Stracener and Sean Barnum. "So Many Ways [...]: Exploiting Facebook and YoVille". Defcon 18. 2010.

Content History

Submissions
Submitter	Organization	Date
Tom Stracener	MITRE	2010-10-27

Modifications
Modifier	Organization	Date	Comments
Sean Barnum	MITRE	2010-10-27	Review and revision of content

Page Last Updated: May 04, 2012


	CAPEC is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2009 - 2012, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us