Home > CAPEC List > CAPEC-510: SaaS User Request Forgery (Version 2.11)  

CAPEC-510: SaaS User Request Forgery

SaaS User Request Forgery
Definition in a New Window Definition in a New Window
Attack Pattern ID: 510
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.

+ Attack Prerequisites
  • An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

Cloud services are often accessed from unmanaged devices over untrusted networks. The likelihood of an adversary having a presence on these unmanaged devices is high. Several instances of this style of attack have been found.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download.

+ Solutions and Mitigations

To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.

Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)

+ References
[R.510.1] [REF-45] Ami Luttwak. "A new Zeus variant targeting Salesforce.com – Research and Analysis". Adallom, Inc.. 2014-02-19. <http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/>.
+ Other Notes

SaaS/Cloud applications are often accessed from unmanaged systems and devices, over untrusted networks that are outside corporate IT control. The likelihood of a cloud service being accessed by a trusted user though an untrusted device is high. Several instances of this style of attack have been found.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017