In applications, particularly web applications, access to functionality is
mitigated by the authorization framework, whose job it is to map ACLs to
elements of the application's functionality; particularly URL's for web
apps. In the case that the application deployer failed to specify an ACL for
a particular element, an attacker may be able to access it with impunity. An
attacker with the ability to access functionality not properly constrained
by ACLs can obtain sensitive information and possibly compromise the entire
application. Such an attacker can access resources that must be available
only to users at a higher privilege level, can access management sections of
the application or can run queries for data that he is otherwise not
supposed to.
Attack Execution Flow
Explore
Survey:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spidering web sites for all available
links
env-Web
2
Brute force guessing of resource
names
env-All
3
Brute force guessing of user names /
credentials
env-All
4
Brute force guessing of function names /
actions
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
ACLs or other access control mechanisms are
present in the software
env-Web
env-ClientServer
2
Positive
User IDs or other credentials are present in
the software
env-Web
env-ClientServer
3
Positive
Operating modes with different privileges
are present in the software
env-ClientServer env-Local
env-Embedded
Identify
Functionality:
At each step, the attacker notes the resource or
functionality access mechanism invoked upon
performing specific actions
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use the web inventory of all forms and
inputs and apply attack data to those
inputs.
env-Web
2
Use a packet sniffer to capture and record
network traffic
env-CommProtocol
3
Execute the software in a debugger and
record API calls into the operating system or
important libraries. This might occur in an
environment other than a production environment,
in order to find weaknesses that can be exploited
in a production environment.
env-Local env-Embedded
Outcomes
ID
type
Outcome Description
1
Success
The attacker produces a list of
functionality or data that can be accessed through
the system.
Experiment
Iterate over access
capabilities:
Possibly as a valid user, the attacker then tries
to access each of the noted access mechanisms
directly in order to perform functions not
constrained by the ACLs.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Fuzzing of API parameters (URL parameters,
OS API parameters, protocol parameters)
env-Web env-Local env-Embedded
env-ClientServer
Indicators
ID
type
Indicator Description
Environments
1
Negative
Attempts to create a catalog of access
mechanisms and data have failed.
env-All
Outcomes
ID
type
Outcome Description
1
Success
Functionality is accessible to
unauthorized users.
Attack Prerequisites
The application must be navigable in a manner that associates elements
(subsections) of the application with ACLs.
The various resources, or individual URLs, must be somehow discoverable by
the attacker
The deployer must have forgotten to associate an ACL or has associated an
inappropriately permissive ACL with a particular navigable resource.
Typical Likelihood of Exploit
Likelihood: Very High
Methods of Attack
Analysis
Brute Force
Examples-Instances
Description
Implementing the Model-View-Controller (MVC) within Java EE's Servlet
paradigm using a "Single front controller" pattern that demands that
brokered HTTP requests be authenticated before hand-offs to other Action
Servlets.
If no security-constraint is placed on those Action Servlets, such
that positively no one can access them, the front controller can be
subverted.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
In order to discover unrestricted resources, the attacker does not
need special tools or skills. He only has to observe the resources or
access mechanisms invoked as each action is performed and then try and
access those access mechanisms directly.
Resources Required
No special resources are required for the exploit of this pattern.
Probing Techniques
In the case of web applications, use of a spider or other crawling
software can allow an attacker to search for accessible pages not beholden
to a security constraint.
More generally, noting the target resource accessed upon performing
specific actions drives an understanding of the resources accessible from
the current context.
Solutions and Mitigations
In a J2EE setting, deployers can associate a role that is impossible for
the authenticator to grant users, such as "NoAccess", with all Servlets to
which access is guarded by a limited number of servlets visible to, and
accessible by, the user.
Having done so, any direct access to those protected Servlets will be
prohibited by the web container.
In a more general setting, the deployer must mark every resource besides
the ones supposed to be exposed to the user as accessible by a role
impossible for the user to assume. The default security setting must be to
deny access and then grant access only to those resources intended by
business logic.
All resources must be constrained to be inaccessible by default followed
by selectively allowing access to resources as dictated by application and
business logic
In addition to a central controller, every resource must also restrict,
wherever possible, incoming accesses as dictated by the relevant ACL.
Related Security Principles
Failing Securely
Least Privilege
Reluctance To Trust
Complete Mediation
Related Guidelines
Use Authorization Mechanisms Correctly
Design Configuration Subsystems Correctly and Distribute Safe Default
Configurations
Purposes
Penetration
CIA Impact
Confidentiality Impact: High
Integrity Impact: Medium
Availability Impact: Low
Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Attack
Execution Flow, Attack Prerequisites, Examples and
Solutions
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An attack of this type exploits a system's configuration that allows an
attacker to either directly access an executable file, for example through
shell access; or in a possible worst case allows an attacker to upload a
file and then execute it. Web servers, ftp servers, and message oriented
middleware systems which have many integration points are particularly
vulnerable, because both the programmers and the administrators must be in
synch regarding the interfaces and the correct privileges for each
interface.
Attack Prerequisites
System's configuration must allow an attacker to directly access
executable files or upload files to execute. This means that any access
control system that is supposed to mediate communications between the
subkect and the object is set incorrectly or assumes a benign
environment.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Modification of Resources
API Abuse
Examples-Instances
Description
Consider a directory on a web server with the following
permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute
programs' on the web server. This one vulnerability can be exploited by
a threat to probe the system and identify additional vulnerabilities to
exploit.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To identify and execute against an overprivileged system
interface
Resources Required
Ability to communicate synchronously or asynchronously with server that
publishes an overprivileged directory, program, or interface. Optionally,
ability to capture output directly through synchronous communication or other
method such as FTP.
Solutions and Mitigations
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize
chroot jails or other configuration techniques to constrain privileges even
if attacker gains some limited access to commands.
Implementation: Perform testing such as pentesting and vulnerability
scanning to identify directories, programs, and interfaces that grant direct
access to executables.
Attack Motivation-Consequences
Run Arbitrary Code
Data Modification
Information Leakage
Privilege Escalation
Injection Vector
Payload delivered through standard communication protocols.
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
An attacker is able to disguise one action for another and therefore trick
a user into initiating one type of action when they intend to initiate a
different action. For example, a user might be led to believe that clicking
a button will submit a query, but in fact it downloads software. Attackers
may perform this attack through social means, such as by simply convincing a
victim to perform the action or relying on a user's natural inclination to
do so, or through technical means, such as a clickjacking attack where a
user sees one interface but is actually interacting with a second,
invisible, interface.
Attack Prerequisites
The victim must be convinced into performing the decoy action.
Resources Required
The attacker must have enough control over a user's interface to present them
with a decoy action as well as the actual malicious action. Simple versions of
this attack can be performed using web pages requiring only that the attacker be
able to host (or control) content that the user visits.
An attacker manipulates the processing of Application Programming
Interface (API) resulting in the API's function having an adverse impact
upon the security of the system or application implementing the API. This
can allow the attacker to execute functionality not intended by the API
implementation, possibly compromising the system or application which
integrates the API. API Abuse can take on a number of forms. For example,
the API may trust that the calling function properly validates its data and
thus it may be manipulated by supplying metacharacters or alternate
encodings as input, resulting in any number of injection flaws, including
SQL injection, cross-site scripting, or command execution. Another example
could be API methods that should be disabled in a production application but
were not, thus exposing dangerous functionality within a production
environment.
Attack Prerequisites
The target system must expose API functionality in a manner that can be
discovered and manipulated by an attacker. This may require reverse
engineering the API syntax or decrypting/de-obfuscating client-server
exchanges.
Resources Required
The requirements vary depending upon the nature of the API. For
application-layer APIs related to the processing of the HTTP protocol, one or
more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web
browser, or a programming/scripting language.
An attacker changes the behavior or state of a targeted application
through injecting data or command syntax through the targets use of
non-validated and non-filtered arguments of exposed services or
methods.
Attack Execution Flow
Explore
Discovery of potential injection
vectors:
Using an automated tool or manual discovery, the
attacker identifies services or methods with
arguments that could potentially be used as
injection vectors (OS, API, SQL procedures,
etc.).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually cover the application and record
the possible places where arguments could be
passed into external systems.
env-All
2
Use a spider, for web applications, to
create a list of URLs and associated
inputs.
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
Arguments are used by the application in
exposed services or methods
env-All
2
Inconclusive
No parameters appear to be used.
env-All
3
Negative
Application does not use any inputs.
env-All
Outcomes
ID
type
Outcome Description
1
Success
A list of parameters, arguments
to modify is identified.
2
Success
A list of URLs, with their
corresponding parameters (POST, GET, COOKIE, etc.)
is created by the attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
1. Attempt variations on argument
content:
Possibly using an automated tool, the attacker
will perform injection variations of the
arguments.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a very large list of probe strings in
order to detect if there is a positive result,
and, what type of system has been targeted (if
obscure).
env-All
2
Use a proxy tool to record results, error
messages and/or log if accessible.
env-All
Indicators
ID
type
Indicator Description
Environments
1
Positive
The application behaves like the injection
has been a success.
env-All
2
Inconclusive
No result appears.
env-All
Outcomes
ID
type
Outcome Description
1
Failure
It is possible to monitor the
application and to see that the argument has been
validated.
Security Controls
ID
type
Security Control Description
1
Preventative
Actively monitor
malicious inputs.
2
Detective
Monitor the services
and/or methods uses of the
arguments.
Exploit
Abuse of the
application:
The attacker injects specific syntax into a
particular argument in order to generate a specific
malicious effect in the targeted application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manually inject specific payload into
targeted argument.
env-All
Outcomes
ID
type
Outcome Description
1
Success
The attacker observes desired
effect.
Security Controls
ID
type
Security Control Description
2
Preventative
Actively monitor
malicious inputs.
3
Detective
Monitor the services
and/or methods uses of the
arguments.
Attack Prerequisites
Target software fails to strip all user-supplied input of any content that
could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on
operating system shell, and, optionally, the system configuration must allow
for output to be sent back to client.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A recent example instance of argument injection occurred against Java
Web Start technology, which eases the client side deployment for Java
programs. The JNLP files that are used to describe the properties for
the program. The client side Java runtime used the arguments in the
property setting to define execution parameters, but if the attacker
appends commands to an otherwise legitimate property file, then these
commands are sent to the client command shell.
The attacker has to identify injection vector, identify the operating
system-specific commands, and optionally collect the output.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Do not program input values directly on command shell, instead
treat user input as guilty until proven innocent. Build a function that
takes user input and converts it to applications specific types and values,
stripping or filtering out all unauthorized commands and characters in the
process.
Design: Limit program privileges, so if metacharcters or other methods
circumvent program input validation routines and shell access is attained
then it is not running under a privileged account. chroot jails create a
sandbox for the application to execute in, making it more difficult for an
attacker to elevate privilege even in the case that a compromise has
occurred.
Implementation: Implement an audit log that is written to a separate host,
in the event of a compromise the audit log may be able to provide evidence
and details of the compromise.
Attack Motivation-Consequences
Privilege Escalation
Data Modification
Information Leakage
Injection Vector
Malicious input delivered through standard input, the attacker inserts
additional arguments on the application's standard interface
Payload
Varies with instantiation of attack pattern. Malicious payload either pass
commands through valid paramters or supply metacharacters that cause unexpected
termination that redirects to shell
Activation Zone
Client machine and client network (e..g Intranet)
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to, this is particularly problematic when the
sprogram is run as a system or privileged account.
An attacker exploits a data structure shared between multiple applications
or an application pool to affect application behavior. Data may be shared
between multiple applications or between multiple threads of a single
application. Data sharing is usually accomplished through mutual access to a
single memory location. If an attacker can manipulate this shared data
(usually by co-opting one of the applications or threads) the other
applications or threads using the shared data will often continue to trust
the validity of the compromised shared data and use it in their
calculations. This can result in invalid trust assumptions, corruption of
additional data through the normal operations of the other users of the
shared data, or even cause a crash or compromise of the sharing
applications.
Attack Prerequisites
The target applications (or target application threads) must share data
between themselves.
The attacker must be able to manipulate some piece of the shared data
either directly or indirectly and the other users of the data must accept
the changed data as valid.
Resources Required
The attacker must be able to change the shared data. Usually this requires
that the attacker be able to compromise one of the sharing applications or
threads in order to manipulated the shared data.
An attacker obtains unauthorized access to an application, service or
device either through knowledge of the inherent weaknesses of an
authentication mechanism, or by exploiting a flaw in the authentication
scheme's implementation. In such an attack an authentication mechanism is
functioning but a carefully controlled sequence of events causes the
mechanism to grant access to the attacker. This attack may exploit
assumptions made by the target's authentication procedures, such as
assumptions regarding trust relationships or assumptions regarding the
generation of secret values. This attack differs from Authentication Bypass
attacks in that Authentication Abuse allows the attacker to be certified as
a valid user through illegitimate means, while Authentication Bypass allows
the user to access protected material without ever being certified as an
authenticated user. This attack does not rely on prior sessions established
by successfully authenticating users, as relied upon for the "Exploitation
of Session Variables, Resource IDs and other Trusted Credentials" attack
patterns.
Attack Prerequisites
An authentication mechanism or subsystem implementing some form of
authentication such as passwords, digest authentication, security
certificates, etc. which is flawed in some way.
Resources Required
A client application, command-line access to a binary, or scripting language
capable of interacting with the authentication mechanism.
An attacker gains access to application, service, or device with the
privileges of an authorized or privileged user by evading or circumventing
an authentication mechanism. The attacker is therefore able to access
protected data without authentication ever having taken place. This refers
to an attacker gaining access equivalent to an authenticated user without
ever going through an authentication procedure. This is usually the result
of the attacker using an unexpected access procedure that does not go
through the proper checkpoints where authentication should occur. For
example, a web site might assume that all users will click through a given
link in order to get to secure material and simply authenticate everyone
that clicks the link. However, an attacker might be able to reach secured
web content by explicitly entering the path to the content rather than
clicking through the authentication link, thereby avoiding the check
entirely. This attack pattern differs from other uthentication attacks in
that attacks of this pattern avoid authentication entirely, rather than
faking authentication by exploiting flaws or by stealing credentials from
legitimate users.
Attack Prerequisites
An authentication mechanism or subsystem impmenting some form of
authentication such as passwords, digest authentication, security
certificates, etc.
Resources Required
A client application, such as a web browser, or a scripting language capable
of interacting with the target.
An application typically makes calls to functions that are a part of
libraries external to the application. These libraries may be part of the
operating system or they may be third party libraries. It is possible that
the application does not handle situations properly where access to these
libraries has been blocked. Depending on the error handling within the
application, blocked access to libraries may leave the system in an insecure
state that could be leveraged by an attacker.
Attack Execution Flow
Determine what external libraries the application
accesses.
Block access to the external libraries accessed by
the application.
Monitor the behavior of the system to see if it
goes into an insecure/inconsistent state.
If the system does go into an
insecure/inconsistent state, leverage that to obtain
information about the system functionality or data,
elevate access control, etc. The rest of this attack
will depend on the context and the desired
goal.
Attack Prerequisites
An application requires access to external libraries.
An attacker has the priviliges to block application access to external
libraries.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
API Abuse
Modification of Resources
Examples-Instances
Description
A web-based system uses a third party cryptographic random number
generation library that derives entropy from machine's hardware. This
library is used in generation of user session ids used by the
applicatoin. If the library is inaccessible, the application instead
uses a software based weak pseudo random number generation library. An
attacker of the system blocks access of the application to the third
party cryptographic random number generation library (by renaming it).
The application in turn uses the weak pseudo random number generation
library to generate session ids that are predictable. An attacker then
leverages this weakness to guess a session id of another user to perform
a horizontal elevation of privilege escalation and gain access to
another user's account.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Solutions and Mitigations
Ensure that application handles situations where access to APIs in
external libraries is not available securely. If the application cannot
continue its execution safely it should fail in a consistent and secure
fashion.
In this attack, some asset (information, functionality, identity, etc.) is
protected by a finite secret value. The attacker attempts to gain access to
this asset by using trial-and-error to exhaustively explore all the possible
secret values in the hope of finding the secret (or a value that is
functionally equivalent) that will unlock the asset. Examples of secrets can
include, but are not limited to, passwords, encryption keys, database lookup
keys, and initial values to one-way functions.
The key factor in this attack is the attacker's ability to explore the
possible secret space rapidly. This, in turn, is a function of the size of
the secret space and the computational power the attacker is able to bring
to bear on the problem. If the attacker has modest resources and the secret
space is large, the challenge facing the attacker is intractable. While the
defender cannot control the resources available to an attacker, they can
control the size of the secret space. Creating a large secret space involves
selecting one's secret from as large a field of equally likely alternative
secrets as possible and ensuring that an attacker is unable to reduce the
size of this field using available clues or cryptoanalysis. Doing this is
more difficult than it sounds since elimination of patterns (which, in turn,
would provide an attacker clues that would help them reduce the space of
potential secrets) is difficult to do using deterministic machines, such as
computers. Assuming a finite secret space, a brute force attack will
eventually succeed. The defender must rely on making sure that the time and
resources necessary to do so will exceed the value of the information. For
example, a secret space that will likely take hundreds of years to explore
is likely safe from raw-brute force attacks.
Attack Execution Flow
Explore
Determine secret testing
procedure:
Determine how a potential guess of the secret may
be tested. This may be accomplished by comparing
some manipulation of the secret to a known value,
use of the secret to manipulate some known set of
data and determining if the result displays specific
characteristics (for example, turning cryptotext
into plaintext), or by submitting the secret to some
external authority and having the external authority
respond as to whether the value was the correct
secret. Ideally, the attacker will want to determine
the correctness of their guess independently since
involvement of an external authority is usually
slower and can provide an indication to the defender
that a brute-force attack is being attempted.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine if there is a way to parallelize
the attack. Most brute force attacks can take
advantage of parallel techniques by dividing the
search space among available resources, thus
dividing the average time to success by the number
of resources available. If there is a single choke
point, such as a need to check answers with an
external authority, the attacker's position is
significantly degraded.
env-All
Reduce search space:
Find ways to reduce the secret space. The smaller
the attacker can make the space they need to search
for the secret value, the greater their chances for
success. There are a great many ways in which the
search space may be reduced.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
If possible, determine how the secret was
selected. If the secret was determined
algorithmically (such as by a random number
generator) the algorithm may have patterns or
dependencies that reduce the size of the secret
space. If the secret was created by a human,
behavioral factors may, if not completely reduce
the space, make some types of secrets more likely
than others. (For example, humans may use the same
secrets in multiple places or use secrets that
look or sound familiar for ease of recall.)
env-All
2
If the secret was chosen algorithmically,
cryptoanalysis can be applied to the algorithm to
discover patterns in this algorithm. (This is true
even if the secret is not used in cryptography.)
Periodicity, the need for seed values, or
weaknesses in the generator all can result in a
significantly smaller secret space.
env-All
3
If the secret was chosen by a person, social
engineering and simple espionage can indicate
patterns in their secret selection. If old secrets
can be learned (and a target may feel they have
little need to protect a secret that has been
replaced) hints as to their selection preferences
can be gleaned. These can include character
substitutions a target employs, patterns in
sources (dates, famous phrases, music lyrics,
family members, etc.). Once these patterns have
been determined, the initial efforts of a
brute-force attack can focus on these
areas.
env-All
4
Some algorithmic techniques for secret
selection may leave indicators that can be tested
for relatively easily and which could then be used
to eliminate large areas of the search space for
consideration. For example, it may be possible to
determine that a secret does or does not start
with a given character after a relatively small
number of tests. Alternatively, it might be
possible to discover the length of the secret
relatively easily. These discoveries would
significantly reduce the search space, thus
increasing speed with which the attacker discovers
the secret.
env-All
Expand victory
conditions:
It is sometimes possible to expand victory
conditions. For example, the attacker might not need
to know the exact secret but simply needs a value
that produces the same result using a one-way
function. While doing this does not reduce the size
of the search space, the presence of multiple
victory conditions does reduce the likely amount of
time that the attacker will need to explore the
space before finding a workable value.
Exploit
Gather information so attack can be
performed independently.:
If possible, gather the necessary information so a
successful search can be determined without
consultation of an external authority. This can be
accomplished by capturing cryptotext (if the goal is
decoding the text) or the encrypted password
dictionary (if the goal is learning
passwords).
Attack Prerequisites
The attacker must be able to determine when they have successfully
guessed the secret. As such, one-time pads are immune to this type of attack
since there is no way to determine when a guess is correct.
Methods of Attack
Brute Force
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
The attack simply requires basic scripting ability to automate the
exploration of the search space. More sophisticated attackers may be
able to use more advanced methods to reduce the search space and
increase the speed with which the secret is located.
Resources Required
Ultimately, the speed with which an attacker discovers a secret is directly
proportional to the computational resources the attacker has at their disposal.
This attack method is resource expensive: having large amounts of computational
power do not guarantee timely success, but having only minimal resources makes
the problem intractable against all but the weakest secret selection
procedures.
Indicators-Warnings of Attack
Repeated submissions of incorrect secret values may indicate a brute force
attack. For example, repeated bad passwords when accessing user accounts or
repeated queries to databases using non-existent keys.
Attempts to download files protected by secrets (usually using encryption)
may be a precursor to an offline attack to break the file's encryption and
read its contents. This is especially significant if the file itself
contains other secret values, such as password files.
If the attacker is able to perform the checking offline then there will
likely be no indication that an attack is ongoing.
Obfuscation Techniques
The attack is impossible to detect if the attacker can test for successful
discovery of the secret value independently, without needing to consult an
external authority.
If an external authority must be consulted, the attacker can attempt to
space out their guesses to avoid a large number of failed guesses in a short
period of time, but doing so slows the attack to the point of making it
unworkable against all but the most trivial secret spaces. As such, if an
external authority must be consulted the attacked is unlikely to be able to
keep the attack secret.
Solutions and Mitigations
Select a provably large secret space for selection of the secret. Provably
large means that the procedure by which the secret is selected does not have
artifacts that significantly reduce the size of the total secret
space.
Do not provide the means for an attacker to determine success
independently. This forces the attacker to check their guesses against an
external authority, which can slow the attack and warn the defender. This
mitigation may not be possible if testing material must appear externally,
such as with a transmitted cryptotext.
Protect sensitive data, even when the data is encrypted. If an attacker
can gain access to encrypted data, they can mount a brute-force attack
independently. The defender will not be aware of this attack or be able to
do anything about it and at that point it is purely a function of the
attacker's available resources as to how long it takes them to learn the
secret.
Monitor activity logs for suspicious activity. An attacker that must use
an external authority to check their brute-force guesses is easy to detect,
but only if that external authority is monitoring activity and detects the
abnormally large number of failed guesses.
Related Guidelines
Do not assume secrets will protect sensitive data in the long-term
An attacker manipulates a data buffer to change the execution flow of a
process to a sequence of events the attacker controls. Data buffers in
software applications provide a storage-space for external input. Buffer
attacks provide input the buffer cannot correctly handle. Buffer attacks are
distinguished in that it is the buffer space itself that is the target of
the attack rather than any code responsible for interpreting the content of
the buffer. In virtually all buffer attacks the content that is placed in
the buffer by the user is immaterial. Instead, most buffer attacks involve
providing more input than the buffer can store, resulting in the overwriting
of other program memory or even the program stack with user supplied
input.
Attack Prerequisites
The target must accept input provided by the attacker and store it in a
buffer.
Resources Required
The attacker must posess a programmatic means for supplying data to a buffer,
such as a compiled C or scripted exploit in perl. Network buffer overflows rely
on connectivity of a protocol to deliver the payload.
Some web applications require users to submit information through an
ordered sequence of web forms. This is often done if there is a very large
amount of information being collected or if information on earlier forms is
used to pre-populate fields or determine which additional information the
application needs to collect. An attacker who knows the names of the various
forms in the sequence may be able to explicitly type in the name of a later
form and navigate to it without first going through the previous forms. This
can result in incomplete collection of information, incorrect assumptions
about the information submitted by the attacker, or other problems that can
impair the functioning of the application.
Attack Prerequisites
The target must collect information from the user in a series of forms
where each form has its own URL that the attacker can anticipate and the
application must fail to detect attempts to access intermediate forms
without first filling out the previous forms.
Resources Required
No special resources are required for this attack.
An attacker exploits the functionality of cache technologies to cause
specific data to be cached that aids the attackers objectives. This
describes any attack whereby an attacker places incorrect or harmful
material in cache . The targeted cache can be an application's cache (e.g. a
web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the
cache is refreshed, most applications or clients will treat the corrupted
cache value as valid. This can lead to a wide range of exploits including
redirecting web browsers towards sites that install malware and repeatedly
incorrect calculations based on the incorrect value.
Attack Prerequisites
The attacker must be able to modify the value stored in a cache to match a
desired value.
The targeted application must not be able to detect the illicit
modification of the cache and must trust the cache value in its
calculations.
Resources Required
No special resources are required beyond the ability to modify the targeted
cache.
An attack of this type exploits a Web server's decision to take action
based on filename or file extension. Because different file types are
handled by different server processes, misclassification may force the Web
server to take unexpected action, or expected actions in an unexpected
sequence. This may cause the server to exhaust resources, supply debug or
system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers
including IIS, Lotus Domino, and Orion. The attacker's job in this case is
straightforward, standard communication protocols and methods are used and
are generally appended with malicious information at the tail end of an
otherwise legitimate request. The attack payload varies, but it could be
special characters like a period or simply appending a tag that has a
special meaning for operations on the server side like .jsp for a java
application server. The essence of this attack is that the attacker deceives
the server into executing functionality based on the name of the request,
i.e. login.jsp, not the contents.
Attack Execution Flow
Explore
Footprint file input
vectors:
Manually or using an automated tool, an attacker
searches for all input locations where a user has
control over the filenames or MIME types of files
submitted to the web server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker manually crawls application to
identify file inputs
env-Web
2
Attacker uses an automated tool to crawl
application identify file inputs
env-Web
3
Attacker manually assesses strength of
access control protecting native application files
from user control
env-Web
4
Attacker explores potential for submitting
files directly to the web server via independently
constructed HTTP Requests
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Application submits files under user control
to the web server
env-Web
2
Negative
Application does not submit files under user
control to the web server
env-Web
3
Negative
Application strictly protects all native
application files from user control
env-Web
Outcomes
ID
type
Outcome Description
1
Success
User-controllable files are
identified
Experiment
File misclassification
shotgunning:
An attacker makes changes to file extensions and
MIME types typically processed by web servers and
looks for abnormal behavior.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker submits files with switched
extensions (e.g. .php on a .jsp file) to web
server.
env-Web
2
Attacker adds extra characters (e.g. adding
an extra . after the file extension) to filenames
of files submitted to web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Web server exhibits unexpected
behavior.
Security Controls
ID
type
Security Control Description
2
Detective
Monitor web server
logs for excessive file processing
errors
3
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
File misclassification
sniping:
Understanding how certain file types are processed
by web servers, an attacker crafts varying file
payloads and modifies their file extension or MIME
type to be that of the targeted type to see if the
web server is vulnerable to misclassification of
that type.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Craft a malicious file payload, modify file
extension to the targeted file type and submit it
to the web server.
env-Web
2
Craft a malicious file payload, modify its
associated MIME type to the targeted file type and
submit it to the web server.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
The web server uses the wrong handler to
execute the file, as expected by the
attacker.
env-Web
2
Inconclusive
No result from the web server.
env-Web
3
Negative
The web server ignore the manipulation and
process the request has it should have
been.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Attacker's payload is acted on
by web server.
2
Failure
The attacker cannot get the web
server to misclassify a
file.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor web server
logs for excessive file processing
errors
2
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Exploit
Disclose information:
The attacker, by manipulating a file extension or
MIME type is able to make the web server return raw
information (not executed).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Manipulate the file names that are
explicitly sent to the server.
env-Web
2
Manipulate the MIME sent in order to confuse
the web server.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The attacker gets the
information from the server
Security Controls
ID
type
Security Control Description
1
Preventative
Always validate that
file content structure matches implicitly or
explicitly declared file type as first step of
processing.
Attack Prerequisites
Web server software must rely on file name or file extension for
processing.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Modification of Resources
Examples-Instances
Description
J2EE application servers are supposed to execute Java Server Pages
(JSP). There have been disclosure issues relating to Orion Application
Server, where an attacker that appends either a period (.) or space
characters to the end of a legitimate Http request, then the server
displays the full source code in the attacker's web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from
the JSP, this is a potentially very serious issue.
To use misclassification to force the Web server to disclose
configuration information, source, or binary data
Resources Required
Ability to execute HTTP request to Web server
Solutions and Mitigations
Implementation: Server routines should be determined by content not
determined by filename or file extension.
Attack Motivation-Consequences
Information Leakage
Privilege Escalation
Injection Vector
Malicious input delivered through standard Web application calls, e.g. HTTP
Request.
Payload
Varies with instantiation of attack pattern. Malicious payload may alter or
append filename or extension to communicate with processes in unexpected
order.
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to force web server to disclose configuration, source, and
data
An attacker spoofs a checksum message for the purpose of making a payload
appear to have a valid corresponding checksum. Checksums are used to verify
message integrity. They consist of some value based on the value of the
message they are protecting. Hash codes are a common checksum mechanism.
Both the sender and recipient are able to compute the checksum based on the
contents of the message. If the message contents change between the sender
and recipient, the sender and recipient will compute different checksum
values. Since the sender's checksum value is transmitted with the message,
the recipient would know that a modification occurred. In checksum spoofing
an attacker modifies the message body and then modifies the corresponding
checksum so that the recipient's checksum calculation will match the
checksum (created by the attacker) in the message. This would prevent the
recipient from realizing that a change occurred.
Attack Prerequisites
The attacker must be able to intercept a message from the sender (keeping
the recipient from getting it), modify it, and send the modified message to
the recipient.
The sender and recipient must use a checksum to protect the integrity of
their message and transmit this checksum in a manner where the attacker can
intercept and modify it.
The checksum value must be computable using information known to the
attacker. A cryptographic checksum, which uses a key known only to the
sender and recipient, would thwart this attack.
Resources Required
The attacker must be able to intercept and modify messages between the sender
and recipient.
Attackers aware that more data is being fed into a multicast or public
information distribution means can 'select' information bound only for
another client, even if the distribution means itself forces users to
authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged
information, possibly perpetrate other attacks through the distribution
means by impersonation.
If the channel/message being manipulated is an input rather than output
mechanism for the system, (such as a command bus), this style of attack
could change its identifier from a less privileged to more so privileged
channel or command.
Attack Execution Flow
Determine the nature of messages being transported
as well as the identifiers to be used as part of the
attack
If required, authenticate to the distribution
channel
If any particular client's information is
available through the transport means simply by
selecting a particular identifier, an attacker can
simply provide that particular identifier.
Attackers with client access connecting to output
channels could change their channel identifier and
see someone else's (perhaps more privileged)
data.
Attack Prerequisites
Information and client-sensitive (and client-specific) data must be
present through a distribution channel available to all users.
Distribution means must code (through channel, message identifiers, or
convention) message destination in a manner visible within the distribution
means itself (such as a control channel) or in the messages
themselves.
Typical Likelihood of Exploit
Likelihood: Very High
Examples-Instances
Description
A certain B2B interface on a large application codes for messages
passed over a MQSeries queue, on a single "Partners" channel. Messages
on that channel code for their client destination based on a partner_ID
field, held by each message. That field is a simple integer. Attackers
having access to that channel, perhaps a particularly nosey partner, can
simply choose to store messages of another parnter's ID and read them as
they desire. Note that authentication does not prevent a partner from
leveraging this attack on other partners. It simply disallows Attackers
without partner status from conducting this attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
All the attacker needs to discover is the format of the messages on
the channel/distribution means and the particular identifier used within
the messages.
Resources Required
The Attacker needs the ability to control source code or application
configuration responsible for selecting which message/channel id is absorbed
from the public distribution means.
Probing Techniques
Assisted protocol analysis: because the protocol under attack is a public
channel, or one in which the attacker likely has authorized access to, they
need simply to decode the aspect of channel or message interpretation that
codes for message identifiers.
Probing is as simple as changing this value and watching its
effect.
Solutions and Mitigations
Associate some ACL (in the form of a token) with an authenticated user
which they provide middleware. The middleware uses this token as part of its
channel/message selection for that client, or part of a discerning
authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper
authentication/authorization with each channel/message.
Rearchitect system input/output channels as appropriate to distribute
self-protecting data. That is, encrypt (or otherwise protect)
channels/messages so that only authorized readers can see them.
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly: this refers to Ambiguity of
authentication. Many authorization systems use ambiguous symbols (i.e.,
principal names) to identify principals allowing circumvention of
authorization by using a different, though equivalent, principal name. For
example, there are many implementations for restricting remote host access
to local services that may allow many proper—but apparently different—names
for unique hosts (e.g., fully qualified domain names, shortened names,
CNAMEs, IPv4 addresses, IPv6 addresses).
Purposes
Penetration
CIA Impact
Confidentiality Impact: Medium
Integrity Impact: Low
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
John Steven
Cigital, Inc
2007-02-10
Initial core pattern content
Modifications
Modifier
Organization
Date
Comments
Chiradeep B. Chhaya
Cigital, Inc
2007-02-23
Fleshed out pattern with extra
content
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
In a clickjacking attack the victim is tricked into unknowingly initiating
some action in one system while interacting with the UI from seemingly
completely different system. While being logged in to some target system,
the victim visits the attacker's malicious site which displays a UI that the
victim wishes to interact with. In reality, the clickjacked page has a
transparent layer above the visible UI with action controls that the
attacker wishes the victim to execute. The victim clicks on buttons or other
UI elements they see on the page which actually triggers the action controls
in the transparent overlaying layer. Depending on what that action control
is, the attacker may have just tricked the victim into executing some
potentially privileged (and most certainly undesired) functionality in the
target system to which the victim is authenticated. The basic problem here
is that there is a dichotomy between what the victim thinks he's clicking on
versus what he or she is actually clicking on.
Attack Execution Flow
Experiment
Craft a clickjacking
page:
The attacker utilizes web page layering techniques
to try to craft a malicious clickjacking page
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker leveraged iFrame overlay
capabilities to craft a malicious clickjacking
page
env-Web
2
The attacker leveraged Flash file overlay
capabilities to craft a malicious clickjacking
page
env-Web
3
The attacker leveraged Silverlight overlay
capabilities to craft a malicious clickjacking
page
env-Web
4
The attacker leveraged cross-frame scripting
to craft a malicious clickjacking page
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Overlay capabilities are enabled in the
browser
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A page is created that performs
unseen actions when the user interacts with the
visible UI
Security Controls
ID
type
Security Control Description
1
Preventative
Disable overlay
functionality in the browser. This can have
obvious impact on the utility of the browser with
some sites and web
applications.
Exploit
Attacker lures victim to clickjacking
page:
Attacker utilizes some form of temptation,
misdirection or coercion to lure the victim to
loading and interacting with the clickjacking pagen
a way that increases the chances that the victim
will click in the right areas.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Lure the victim to the malicious site by
sending the victim an e-mail with a URL to the
site.
env-Web
2
Lure the victim to the malicious site by
manipulating URLs on a site trusted by the
victim.
env-Web
3
Lure the victim to the malicious site
through a cross-site scripting attack.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The victim loads the
clickjacking page.
Trick victim into interacting with the
clickjacking page in the desired
manner:
The attacker tricks the victim into clicking on
the areas of the UI which contain the hidden action
controls and thereby interacts with the target
system maliciously with the victim's level of
privilege.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Hide action controls over very commonly used
functionality.
env-Web
2
Hide action controls over very
psychologically tempting content.
env-Web
Attack Prerequisites
The victim is communicating with the target application via a web based UI
and not a thick client
The victim's browser security policies allow at least one of the following
JavaScript, Flash, iFrames, ActiveX, or CSS.
The victim uses a modern browser that supports UI elements like clickable
buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and
supports the ability for initiating sensitive actions on behalf of the user
in the target system
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Spoofing
Social Engineering
Examples-Instances
Description
A victim has an authenticated session with a site that provides an
electronic payment service to transfer funds between subscribing
members. At the same time, the victim receives an e-mail that appears to
come from an online publication to which he or she subscribes with links
to today's news articles. The victim clicks on one of these links and is
taken to a page with the news story. There is a screen with an
advertisement that appears on top of the news article with the 'skip
this ad' button. Eager to read the news article, the user clicks on this
button. Nothing happens. The user clicks on the button one more time and
still nothing happens.
In reality, the victim activated a hidden action control located in a
transparent layer above the 'skip this ad' button. The ad screen
blocking the news article made it likely that the victim would click on
the 'skip this ad' button. Clicking on the button, actually initiated
the transfer of $1000 from the victim's account with an electronic
payment service to an attacker's account. Clicking on the 'skip this ad'
button the second time (after nothing seemingly happened the first time)
confirmed the transfer of funds to the elctronic payment service.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Crafting the proper malicious site and luring the victim to this site
are not trivial tasks.
Resources Required
Low: A computer connected to the internet.
Solutions and Mitigations
If using the Firefox browser, use the NoScript plug-in that will help
forbid iFrames.
Turn off JavaScript, Flash and disable CSS.
When maintaining an authenticated session with a privileged target system,
do not use the same browser to navigate to unfamiliar sites to perform other
activities. Finish working with the target system and logout first before
proceeding to other tasks.
Enforce maximum security restrictions in the browser: JavaScript disabled,
Flash disabled, CSS disabled, iFrames forbidden
Related Security Principles
Shed elevated privileges as soon as possible (i.e. log out of the target
application once finished with it and before doing other things in the
browser)
An attacker exploits a weakness in input validation on the target to force
arbitrary code to be retrieved from a remote location and executed. This
differs from script injection in that script injection involves the direct
inclusion of scripting code while code inclusion involves the addition or
replacement of a reference to a code file, which is subsequently loaded by
the target and used as part of the code of some application. One example of
this sort of attack is PHP file include attacks where the parameter of an
include() function is set by a variable that an attacker is able to control.
The result is that arbitrary code could be loaded into the PHP application
and executed.
Attack Prerequisites
The target application must include external code/libraries that are
executed when the application runs and the attacker must be able to
influence the specific files that get included.
The victim must run the targeted application, possibly using the crafted
parameters that the attacker uses to identify the code to include.
Resources Required
The attacker may need to be able to host code modules if they wish their own
code files to be included.
An attack of this type exploits a programs' vulnerabilities that allows an
attacker's commands to be concatenated onto a legitimate command with the
intent of targeting other resources such as the file system or database. The
system that uses a filter or a blacklist input validation, as opposed to
whitelist validation is vulnerable to an attacker who predicts delimiters
(or combinations of delimiters) not present in the filter or blacklist. As
with other injection attacks, the attacker uses the command delimiter
payload as an entry point to tunnel through the application and activate
additional attacks through SQL queries, shell commands, network scanning,
and so on.
Attack Execution Flow
Explore
Assess Target Runtime
Environment:
In situations where the runtime environment is not
implicitly known, the attacker makes connections to
the target system and tries to determine the
system's runtime environment. Knowing the
environment is vital to choosing the correct
delimiters.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Port mapping using network connection-based
software (e.g., nmap, nessus, etc.)
Operating environment
(operating system, language, and/or middleware) is
correctly identified.
2
Inconclusive
Multiple candidate operating
environments are suggested.
Security Controls
ID
type
Security Control Description
1
Preventative
Provide misleading
information on TCIP/IP fingerprints (some
operating systems can be configured to send
signatures that match other operating
systems).
2
Preventative
Provide misleading
information at the server level (e.g., Apache,
IIS, WebLogic, etc.) to announce a different
server software.
3
Detective
Some fingerprinting
techniques can be detected by operating systems or
by network IDS systems because they leave the
network connection half-open, or they do not
belong to a valid, open
connection.
Survey the
Application:
The attacker surveys the target application,
possibly as a valid and authenticated user
Attack Step Techniques
ID
Attack Step Technique Description
Environments
-1
Spidering web sites for all available
links
env-Web
-1
Inventory all application inputs
env-All
Indicators
ID
type
Indicator Description
Environments
-1
Positive
Attacker develops a list of valid
inputs
env-Web
env-ClientServer
Outcomes
ID
type
Outcome Description
0
Success
The attacker develops a list of
likely command delimiters.
Security Controls
ID
type
Security Control Description
0
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
0
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
0
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
0
Detective
Monitor velocity of
feature activations (non-web software). Humans who
activate features (click buttons, request actions,
invoke APIs, etc.) will do so far slower and far
less regularly than tools. Tools make requests
very quickly and the requests are typically spaced
apart regularly (e.g. 0.8 seconds between
them).
Experiment
Attempt delimiters in
inputs:
The attacker systematically attempts variations of
delimiters on known inputs, observing the
application's response each time.
Inject command delimiters using web test
frameworks (proxies, TamperData, custom programs,
etc.)
env-Web
3
Enter command delimiters directly in input
fields.
env-Embedded env-Local
env-ClientServer
Indicators
ID
type
Indicator Description
Environments
1
Positive
Attack step 2 is successful.
env-All
Outcomes
ID
type
Outcome Description
1
Success
One or more command delimiters
for the platform provokes an unexpected response
from the software, which can be varied by the
attacker based on the input.
Exploit
Use malicious command
delimiters:
The attacker uses combinations of payload and
carefully placed command delimiters to attack the
software.
Outcomes
ID
type
Outcome Description
1
Success
The software performs as
expected by the attacker.
Security Controls
ID
type
Security Control Description
1
Detective
Attack Prerequisites
Software's input validation or filtering must not detect and block
presence of additional malicious command.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
By appending special characters, such as a semicolon or other commands
that are executed by the target process, the attacker is able to execute
a wide variety of malicious commands in the target process space,
utilizing the target's inherited permissions, against any resource the
host has access to. The possibilities are vast including injection
attacks against RDBMS (SQL Injection), directory servers (LDAP
Injection), XML documents (XPath and XQuery Injection), and command line
shells. In many injection attacks, the results are converted back to
strings and displayed to the client process such as a web browser
without tripping any security alarms, so the network firewall does not
log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile,
password, and group information that is used to authenticate and
authorize users. An attacker that can query the directory at will and
execute custom commands against the directory server is literally
working with the keys to the kingdom in many enterprises. When user,
organizational units, and other directory objects are queried by
building the query string directly from user input with no validation,
or other conversion, then the attacker has the ability to use any LDAP
commands to query, filter, list, and crawl against the LDAP server
directly in the same manner as SQL injection gives the ability to the
attacker to run SQL commands on the database.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker has to identify injection vector, identify the specific
commands, and optionally collect the output, i.e. from an interactive
session.
Resources Required
Ability to communicate synchronously or asynchronously with server.
Optionally, ability to capture output directly through synchronous communication
or other method such as FTP.
Solutions and Mitigations
Design: Perform whitelist validation against a positive specification for
command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input
validation or filter routines then commands do not running under a
privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared
statements.
Attack Motivation-Consequences
Run Arbitrary Code
Information Leakage
Injection Vector
Malicious input delivered through appending delimiters to standard input
Payload
Command(s) appended to valid parameters to enable attacker to execute commands
on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
An attacker uses standard SQL injection methods to inject data into the
command line for execution. This could be done directly through misuse of
directives such as MSSQL_xp_cmdshell or indirectly through injection of data
into the database that would be interpreted as shell commands. Sometime
later, an unscrupulous backend application (or could be part of the
functionality of the same application) fetches the injected data stored in
the database and uses this data as command line arguments without performing
proper validation. The malicious data escapes that data plane by spawning
new commands to be executed on the host.
Attack Execution Flow
Explore
Probe for SQL Injection
vulernability:
The attacker injects SQL syntax into
user-controllable data inputs to search unfiltered
execution of the SQL syntax in a query.
At least one user-controllable
input susceptible to injection
found.
2
Failure
No user-controllable input
susceptible to injection
found.
Security Controls
ID
type
Security Control Description
1
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Exploit
Achieve arbitrary command execution
through SQL Injection with the MSSQL_xp_cmdshell
directive:
The attacker leverages a SQL Injection attack to
inject shell code to be executed by leveraging the
xp_cmdshell directive.
Outcomes
ID
type
Outcome Description
1
Success
Attacker's injected code is
executed.
Security Controls
ID
type
Security Control Description
1
Preventative
Disable xp_cmdshell
stored procedure on the
database.
2
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
3
Preventative
Input validation of
user-controlled data before including it in a SQL
query
4
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Inject malicious data in the
database:
Leverage SQL injection to inject data in the
database that could later be used to achieve command
injection if ever used as a command line
argument
Security Controls
ID
type
Security Control Description
1
Detective
Search for and alert
on unexpected SQL keywords in application logs
(e.g. SELECT, DROP,
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a SQL
query
3
Preventative
Use parameterized
queries (e.g. PreparedStatement in Java, and
Command.Parameters.Add() to set query parameters
in .NET)
Trigger command line execution with
injected arguments:
The attacker causes execution of command line
functionality which leverages previously injected
database content as arguments.
Outcomes
ID
type
Outcome Description
1
Success
Attacker's injected code is
executed.
Attack Prerequisites
The application does not properly validate data before storing in the
database
Backend application implicitly trusts the data stored in the
database
Malicious data is used on the backend as a command line argument
Typical Likelihood of Exploit
Likelihood: Low
Methods of Attack
Analysis
Injection
Examples-Instances
Description
SQL injection vulnerability in Cacti 0.8.6i and earlier, when
register_argc_argv is enabled, allows remote attackers to execute
arbitrary SQL commands via the (1) second or (2) third arguments to
cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands
since the SQL query results are later used in the polling_items array
and popen function (CVE-2006-6799).
The attacker most likely has to be familiar with the internal
functionality of the system to launch this attack. Without that
knowledge, there are not many feedback mechanisms to give an attacker
the indication of how to perform command injection or whether the attack
is succeeding.
Resources Required
No specialized resources are required
Solutions and Mitigations
Disable MSSQL xp_cmdshell directive on the database
Properly validate the data (syntactically and semantically) before writing
it to the database.
Do not implicitly trust the data stored in the database. Re-validate it
prior to usage to make sure that it is safe to use in a given context (e.g.
as a command line argument).
An attacker exploits well known locations for resources for the purposes
of undermining the security of the target. In many, if not most, systems,
files and resources are organized in the same tree structure. This can be
useful for attackers because they often know where to look for resources or
files that are necessary for attacks. Even when the precise location of a
targeted resource may know be known, naming conventions may indicate a small
area of the target machine's file tree where the resources are typically
located. For example, configuration files are normally stored in the /etc
director on Unix systems. Attackers can take advantage of this to commit
other types of attacks.
Attack Prerequisites
The targeted applications must either expect files to be located at a
specific location or, if the location of the files can be configured by the
user, the user either failed to move the files from the default location or
placed them in a conventional location for files of the given type.
Resources Required
No special resources are required for most variants of this attack. In some
cases, the attacker need not even have direct access to the locations on the
target computer where the targeted resources reside.
An attacker manipulates files or settings external to a target application
which affect the behavior of that application. For example, many
applications use external configuration files and libraries - modification
of these entities or otherwise affecting the application's ability to use
them would constitute a configuration/environment manipulation
attack.
Attack Prerequisites
The target application must consult external files or configuration
controls to control its execution. All but the very simplest applications
meet this requirement.
Resources Required
The attacker must have the access necessary to affect the files or other
environment items the targeted application uses for its operations.
An attacker modifies content to make it contain something other than what
the original content producer intended while keeping the apparent source of
the content unchanged. The term content spoofing is most often used to
describe modification of web pages hosted by a target to display the
attacker's content instead of the owner's content. However, any content can
be spoofed, including the content of email messages, file transfers, or the
content of other network communication protocols. Content can be modified at
the source (e.g. modifying the source file for a web page) or in transit
(e.g. intercepting and modifying a message between the sender and
recipient). Usually, the attacker will attempt to hide the fact that the
content has been modified, but in some cases, such as with web site
defacement, this is not necessary. Content Spoofing can lead to malware
exposure, financial fraud if the content governs financial transactions,
privacy violations, and other results.
Attack Prerequisites
The target must provide content but fail to adequately protect it against
modification.
Resources Required
No special resources are required by the client for most forms of the attack.
If the content is to be modified in transit, the attacker must be able to
intercept the targeted messages. In some variants, the targeted content is
altered so that all or some of it is redirected towards content published by the
attacker (for example, images and frames in the target's web site might be
modified to be loaded from a source controlled by the attacker). In these cases,
the attacker must be able to host the replacement content.
An attacker exploits file location algorithms in an operating system or
application by creating a file with the same name as a protected or
privileged file. The attacker could manipulate the system if the
attacker-created file is trusted by the operating system or an application
component that attempts to load the original file. Applications often load
or include external files, such as libraries or configuration files. These
files should be protected against malicious manipulation. However, if the
application only uses the name of the file when locating it, an attacker may
be able to create a file with the same name and place it in a directory that
the application will search before the directory with the legitimate file is
searched. Because the attacker's file is discovered first, it would be used
by the target application. This attack can be extremely destructive if the
referenced file is executable and/or is granted special privileges based
solely on having a particular name.
Attack Prerequisites
The target application must exclude external files. Most non-trivial
applications meet this criterion.
The target application does not verify that a located file is the one it
was looking for through means other than the name. Many applications fail to
perform checks of this type.
The directories the target application searches to find the included file
include directories writable by the attacker which are searched before the
protected directory containing the actual files. It is much less common for
applications to meet this criterion, but if an attacker can manipulate the
application's search path (possibly by controlling environmental variables)
then they can force this criterion to be met.
Resources Required
The attacker must have sufficient access to place an arbitrarily named file
somewhere early in the application's search path.
An attacker creates a client application to interface with a target
service where the client violates assumptions the service makes about
clients. Services that have designated client applications (as opposed to
services that use general client applications, such as IMAP or POP mail
servers which can interact with any IMAP or POP client) may assume that the
client will follow specific procedures. For example, servers may assume that
clients will accurately compute values (such as prices), will send correctly
structured messages, and will attempt to ensure efficient interactions with
the server. By reverse-engineering a client and creating their own version,
an attacker can take advantage of these assumptions to abuse service
functionality. For example, a purchasing service might send a unit price to
its client and expect the client to correctly compute the total cost of a
purchase. If the attacker uses a malicious client, however, the attacker
could ignore the server input and declare any total price. Likewise, an
attacker could configure the client to retain network or other server
resources for longer than legitimately necessary in order to degrade server
performance.
Even services with general clients can be susceptible to this attack if
they assume certain client behaviors. However, such services generally can
make fewer assumptions about the behavior of their clients in the first
place and, as such, are less likely to make assumptions that an attacker can
exploit.
This attack differs from most other forms of identity spoofing in that the
attacker is not attempting to impersonate a specific user or device.
Instead, the attacker attempts to impersonate a class of applications,
namely the client applications of a service. As such, the attacker is not
violating the service's trust in an identity, but its trust in expected
behavior.
Attack Prerequisites
The targeted service must make assumptions about the behavior of the
client application that interacts with it, which can be abused by an
attacker.
Resources Required
The attacker must be able to reverse engineer a client of the targeted
service. However, the attacker does not need to reverse engineer all client
functionality - they only need to recreate enough of the functionality to access
the desired server functionality.
An attacker crafts malicious web links and distributes them (via web
pages, email, etc.), typically in a targeted manner, hoping to induce users
to click on the link and execute the malicious action against some
third-party application. If successful, the action embedded in the malicious
link will be processed and accepted by the targeted application with the
users' privilege level.
This type of attack leverages the persistence and implicit trust placed in
user session cookies by many web applications today. In such an
architecture, once the user authenticates to an application and a session
cookie is created on the user's system, all following transactions for that
session are authenticated using that cookie including potential actions
initiated by an attacker and simply "riding" the existing session
cookie.
Attack Execution Flow
Explore
Explore target
website:
The attacker first explores the target website to
determine pieces of functionality that are of
interest to him (e.g. money transfers). The attacker
will need a legitimate user account on the target
website. It would help to have two accounts.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web application debugging tool such as
WebScarab, Tamper Data or TamperIE to analyze the
information exchanged between the client and the
server
env-Web
2
Use network sniffing tool such as Wireshark
to analyze the information exchanged between the
client and the server
env-Web
3
View HTML source of web pages that contain
links or buttons that perform actions of
interest.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Attacker identifies at least
one piece of interesting functionality that can be
executed by making a single HTTP GET or POST
request containing no session-specific
parameters.
1
Failure
Attacker cannot identify any
functionality that can be executed without sending
a session-specific parameter other than the cookie
in the HTTP request.
Experiment
Create a link that when clicked on, will
execute the interesting
functionality.:
The attacker needs to create a link that will
execute some interesting functionality such as
transfer money, change a password, etc.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Create a GET request containing all required
parameters (e.g.
https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
env-Web
2
Create a form that will submit a POST
request (e.g. <form method="POST"
action="https://www.somebank.com/members/transfer.asp"><input
type="hidden" Name="to"
value="012345678901"/><input
type="hidden" Name="amt"
value="10000"/><input type="submit"
src="clickhere.jpg"/></form>
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Success outcome in previous step.
env-Web
2
Negative
Failure outcome in previous step.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A link that performs an
operation that the attacker desires when it is
clicked.
2
Failure
Creating a link that performs
an operation that the attacker desires when it is
clicked, is impossible, because the site has
implemented protections against
CSRF.
Security Controls
ID
type
Security Control Description
1
Preventative
Include a unique HTTP
parameter value in forms every time they are sent
to the client. Verify that the expected value is
in the response received from the client. In this
case, the attacker will not have access to the
correct parameter value for another user, and
thus, will not be able to create forged
requests.
2
Preventative
Check HTTP referrer
for each request to ensure that it is from the
expected site. Note that if the site is vulnerable
to XSS, then the attacker will be able to bypass
this.
Exploit
Convince user to click on
link:
Finally, the attacker needs to convince a user
that is logged into the target website to click on a
link to execute the CSRF attack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Execute a phishing attack and send the user
an e-mail convincing him to click on a
link.
env-Web
2
Execute a stored XSS attack on a website to
permanently embed the malicious link into the
website.
env-Web
3
Execute a stored XSS attack on a website
where a XMLHTTPRequest object will automatically
execute the attack as soon as a user visits the
page. This removes the step of convincing a user
to click on a link.
env-Web
4
Include the malicious link on the attacker's
own website where the user may have to click on
the link, or where an XMLHTTPRequest object may
automatically execute the attack when a user
visits the site.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Success outcome in previous step.
env-Web
2
Negative
Failure outcome in previous step.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A user executes the malicious
link crafted by the
attacker.
2
Failure
Failure outcome in previous
step.
Security Controls
ID
type
Security Control Description
1
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking CSRF links through forums or other web
postings, their web browsers will be providing
Referer headers most of the time. These can help
indicate that the actual request is
illegitimate.
2
Corrective
Deny requests and
invalidate session IDs for requests that contain
unexpected referrers. Note that this will not
protect against cases where the target website is
also vulnerable to cross site
scripting.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Spoofing
Analysis
Examples-Instances
Description
While a user is logged into his bank account, an attacker can send an
email with some potentially interesting content and require the user to
click on a link in the email.
The link points to or contains an attacker setup script, probably even
within an iFrame, that mimicks an actual user form submission to perform
a malicious activity, such as transferring funds from the victim's
account.
The attacker can have the script embedded in, or targeted by, the link
perform any arbitrary action as the authenticated user. When this script
is executed, the targeted application authenticates and accepts the
actions based on the victims existing session cookie.
Related Vulnerabilities
Cross-site request forgery (CSRF) vulnerability in util.pl in
@Mail WebMail 4.51 allows remote attackers to modify arbitrary
settings and perform unauthorized actions as an arbitrary user, as
demonstrated using a settings action in the SRC attribute of an IMG
element in an HTML e-mail.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to figure out the exact invocation of the targeted
malicious action and then craft a link that performs the said action.
Having the user click on such a link is often accomplished by sending an
email or posting such a link to a bulletin board or the likes.
Resources Required
All the attacker needs is the exact representation of requests to be made to
the application and to be able to get the malicious link across to a
victim.
Probing Techniques
The attacker can observe the way the application accepts requests for
actions. If the application uses a persistent cookie, a non-random
identifier or any such static identification token that does not change with
every request, the attack is fairly straightforward to accomplish
Obfuscation Techniques
In order to obfuscate the actual URL and its contents passed to the
victim, the attacker can employ a service such as TinyURL and optionally
redirect the request to the actual malicious script
Solutions and Mitigations
Use cryptographic tokens to associate a request with a specific action.
The token can be regenerated at every request so that if a request with an
invalid token is encountered, it can be reliably discarded. The token is
considered invalid if it arrived with a request other than the action it was
supposed to be associated with.
Although less reliable, the use of the optional HTTP Referer header can
also be used to determine whether an incoming request was actually one that
the user is authorized for, in the current context.
Additionally, the user can also be prompted to confirm an action every
time an action concerning potentially sensitive data is invoked. This way,
even if the attacker manages to get the user to click on a malicious link
and request the desired action, the user has a chance to recover by denying
confirmation. This solution is also implicitly tied to using a second factor
of authentication before performing such actions.
In general, every request must be checked for the appropriate
authentication token as well as authorization in the current session
context.
Use Authentication Mechanisms, Where Appropriate, Correctly
Purposes
Exploitation
CIA Impact
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
Technical Context
Architectural Paradigms
Client-Server
Frameworks
J2EE
.NET
Platforms
All
Languages
All
References
"Session Riding: A Widespread Vulnerability in Today's Web
Applications", Thomas Schreiber, SecureNet GmbH, Dec 2004.
http://www.securenet.de/papers/Session_Riding.pdf
Content History
Submissions
Submitter
Organization
Date
Chiradeep B.Chhaya
Cigital, Inc
2007-02-27
Modifications
Modifier
Organization
Date
Comments
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Description
and Related Attack Patterns
Sean Barnum
Cigital, Inc
2007-04-13
Modified pattern content according to review and
feedback
An attacker may leverage a system weakness where logs are susceptible to
log injection to insert scripts into the system's logs. If these logs are
later viewed by an administrator through a thin administrative interface and
the log data is not properly HTML encoded before being written to the page,
the attacker's scripts stored in the log will be executed in the
administrative interface with potentially serious consequences. This attack
pattern is really a combination of two other attack patterns: log injection
and stored cross site scripting.
Attack Execution Flow
Explore
Probe for log injection
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for log injection
vulnerabilities. This may be difficult (unless the
attacker has a white box view of the system) because
there may not be a feedback event to indicate to the
attacker that certain information is being
logged.
Outcomes
ID
type
Outcome Description
1
Success
User injected input shows up in
the logs
Security Controls
ID
type
Security Control Description
1
Preventative
Apply appropriate
input validation and filtering of
user-controllable input before writing to
logs
Probe for cross-site scripting
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for any cross-site
scripting vulnerabilities. Cross-site scripting
vulnerabilities identified anywhere in the
application indicate an increased potential that
such vulnerabilities may exist in the log management
portions of the application.
Outcomes
ID
type
Outcome Description
1
Success
Attacker-injected script is
executed in user's browser.
Security Controls
ID
type
Security Control Description
1
Preventative
HTML encode all log
contents before displaying in log management
interfaces.
Experiment
Confirm
exploitability:
Create a simple script and inject it into one of
the potentially vulnerable fields. This script
should take some action which will give an attacker
an indication that the attack vector exists.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The idea is to receive some sort of a
feedback event that confirms that an attack is
succeeding. That is done with a simple script
prior to crafting possibly a more complex script
to launch an actual attack.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Expected script execution
feedback event is observed.
Exploit
Inject System Logs with Malicious
Scripts:
Create a malicious script to run in the
administrator's web based interface and inject it in
the system's logs through one of the user controlled
fields that are being logged.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Inject the vulnerable fields by tampering
with their values to contain the malicious
scripts. Possibly trigger another event that makes
it more likely that injected logs are viewed in
the vulnerable UI as soon as possible.
env-Web
Attack Prerequisites
The system uses a web based interface
The system does not cleanse / validate user supplied data before writing
it to logs
Information from logs is displayed in a web based interface
The web based log interface does not HTML output encode the log data prior
to displaying it in the administrator console.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
An attacker determines that a particular system uses a web based
interface for administration. The attacker creates a new user record and
supplies a malicious script in the user name field. The script will
steal the administrator's authentication cookie and forward it to a site
controlled by the attacker. The user name field is not validated by the
system and is logged as is in the log. At some point later, an
administrator reviews the log activity in the administrative console.
When the administrator comes across the attacker's activity record, the
malicious script is executed in the context of the attacker's browser,
stealing the administrator's authentication cookie and forwarding it to
the attacker. An attacker then uses the received authentication cookie
to log in to the system as an administrator, assuming that the
administrator console can be accessed remotely.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Requires to ability to write a simple scipt and try to inject it
through various user controlled fields in the system.
Resources Required
No specialized hardware is required
Probing Techniques
Locate system screens for operations that are likely to be logged and use
these as starting points for injection
Solutions and Mitigations
Cleanse all user supplied data before placing it in the logs. Reject all
bad data. Ensure that the data is in the expected form.
Use proper HTML output encoding techniques to strip the log data of
potentially dangerous scripting characters before displaying it in the
administrative console
If possible, disable script execution in the administrative
interface.
Cross Site Tracing (XST) enables an attacker to steal the victim's session
cookie and possibly other authentication credentials transmitted in the
header of the HTTP request when the victim's browser communicates to
destination system's web server. The attacker first gets a malicious script
to run in the victim's browser that induces the browser to initiate an HTTP
TRACE request to the web server. If the destination web server allows HTTP
TRACE requests, it will proceed to return a response to the victim's web
browser that contains the original HTTP request in its body. The function of
HTTP TRACE, as defined by the HTTP specification, is to echo the request
that the web server receives from the client back to the client. Since the
HTTP header of the original request had the victim's session cookie in it,
that session cookie can now be picked off the HTTP TRACE response and sent
to the attacker's malicious site. XST becomes relevant when direct access to
the session cookie via the "document.cookie" object is disabled with the use
of httpOnly attribute which ensures that the cookie can be transmitted in
HTTP requests but cannot be accessed in other ways. Using SSL does not
protect against XST.
If the system with which the victim is interacting is susceptible to XSS,
an attacker can exploit that weakness directly to get his or her malicious
script to issue an HTTP TRACE request to the destination system's web
server. In the absense of an XSS weakness on the site with which the victim
is interacting, an attacker can get the script to come from the site that he
controls and get it to execute in the victim's browser (if he can trick the
victim's into visiting his malicious website or clicking on the link that he
supplies). However, in that case, due to the single origin policy protection
mechanism in the browser, the attacker's malicious script cannot directly
issue an HTTP TRACE request to the destination system's web server because
the malicious script did not originate at that domain. An attacker will then
need to find a way to exploit another weakness that would enable him or her
to get around the single origin policy protection.
Attack Execution Flow
Explore
Determine if HTTP Trace is
enabled:
Determine if HTTP Trace is enabled at the web
server with which the victim has a an active
session
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
An attacker may issue an HTTP Trace request
to the target web server and observe if the
response arrives with the original request in the
body of the response.
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
HTTP Trace is enabled on the web
server
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The original request is
returned after the HTTP Trace
request.
Experiment
Identify mechanism to launch HTTP Trace
request:
The attacker attempts to force the victim to issue
an HTTP Trace request to the targeted
application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker probes for cross-site scripting
vulnerabilities to force the victim into issuing
an HTTP Trace request.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
Attacker's script is executed
within the browser context.
Exploit
Create a malicious script that pings the
web server with HTTP TRACE request:
Create a malicious script that will induce the
victim's browser to issue an HTTP TRACE request to
the destination system's web server. The script will
further intercept the response from the web server,
pick up sensitive information out of it, and forward
to the site controlled by the attacker.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker's malicious script circumvents
the httpOnly cookie attribute that prevents from
hijacking the victim's session cookie directly
using document.cookie and instead leverages the
HTTP TRACE to catch this information from the
header of the HTTP request once it is echoed back
from the web server in the body of the HTTP TRACE
response.
env-Web
Execute malicious HTTP Trace launching
script:
The attacker leverages a vulnerability to force
the victim to execute the malicious HTTP Trace
launching script
Attack Prerequisites
HTTP TRACE is enabled on the web server
The destination system is susceptible to XSS or an attacker can leverage
some other weakness to bypass the single origin policy
Scripting is enabled in the client's browser
HTTP is used as the communication protocol between the server and the
client
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Protocol Manipulation
Injection
Examples-Instances
Description
An attacker determines that a particular system is vulnerable to
reflected cross-site scripting (XSS) and endeavors to leverage this
weakness to steal the victim's authentication cookie. An attacker
realizes that since httpOnly attribute is set on the user's cookie, it
is not possible to steal it directly with his malicious script. Instead,
the attacker has his script use XMLHTTP ActiveX control in the victim's
IE browser to issue an HTTP TRACE to the target system's server which
has HTTP TRACE enabled. The original HTTP TRACE request contains the
session cookie and so does the echoed response. The attacker picks the
session cookie from the body of HTTP TRACE response and ships it to the
attacker. The attacker then uses the newly acquired victim's session
cookie to impersonate the victim in the target system.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Understanding of the HTTP protocol and an ability to craft a malicious
script
Resources Required
No specialized resources are needed
Probing Techniques
Send HTTP TRACE requests to the destination web server to see if it
responds
Solutions and Mitigations
Administrators should disable support for HTTP TRACE at the destination's
web server. Vendors should disable TRACE by default.
Patch web browser against known security origin policy bypass
exploits.
An attacker is able to cause a victim to load content into their
web-browser that bypasses security zone controls and gain access to
increased privileges to execute scripting code or other web objects such as
unsigned ActiveX controls or applets. This is a privilege elevation attack
targeted at zone-based web-browser security. In a zone-based model, pages
belong to one of a set of zones corresponding to the level of privilege
assigned to that page. Pages in an untrusted zone would have a lesser level
of access to the system and/or be restricted in the types of executable
content it was allowed to invoke. In a cross-zone scripting attack, a page
that should be assigned to a less privileged zone is granted the privileges
of a more trusted zone. This can be accomplished by exploiting bugs in the
browser, exploiting incorrect configuration in the zone controls, through a
cross-site scripting attack that causes the attacker's content to be treated
as coming from a more trusted page, or by leveraging some piece of system
functionality that is accessible from both the trusted and less trusted
zone. This attack differs from "Restful Privilege Escalation" in that the
latter correlates to the inadequate securing of RESTful access methods (such
as HTTP DELETE) on the server, while cross-zone scripting attacks the
concept of security zones as implemented by a browser.
Attack Execution Flow
Explore
Find systems susceptible to the
attack:
Find systems that contain functionality that is
accessed from both the internet zone and the local
zone. There needs to be a way to supply input to
that functionality from the internet zone and that
original input needs to be used later on a page from
a local zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Leverage knowledge of common local zone
functionality on targeted platforms to guide
attempted injection of code through relevant
internet zone mechanisms. In some cases this may
be due to standard system configurations enabling
shared functionality between internet and local
zones. The attacker can search for indicators that
these standard configurations are in place.
env-Web
Security Controls
ID
type
Security Control Description
1
Preventative
Ensure standard system
configurations do not enable shared functionality
between internet and local
zones
Experiment
Find the insertion point for the
payload:
The attacker first needs to find some system
functionality or possibly another weakness in the
system (e.g. susceptibility to cross site scripting)
that would provide the attacker with a mechanism to
deliver the payload (i.e.the code to be executed) to
the user. The location from which this code is
executed in the user's browser needs to be within
the local machine zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Finding weaknesses in functionality used by
both privileged and unprivileged users.
env-Web
Exploit
Craft and inject the
payload:
Develop the payload to be executed in the higher
privilged zone in the user's browser. Inject the
payload and attempt to lure the victim (if possible)
into executing the functionality which unleashes the
payload.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker makes it as likely as possible
that the vulnerable functionality into which he
has injected the payload has a high likelihood of
being used by the victim.
env-Web
2
Leverage cross-site scripting vulnerability
to inject payload.
env-Web
Attack Prerequisites
The target must be using a zone-aware browser.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Analysis
Injection
Examples-Instances
Description
There was a cross zone scripting vulnerability discovered in Skype
that allowed one user to upload a video with a maliciously crafted title
that contains a script. Subsequently, when the victim attempts to use
the "add video to chat" feature on attacker's video, the script embedded
in the title of the video runs with local zone privileges. Skype is
using IE web controls to render internal and external HTML pages. "Add
video to chat" uses these web controls and they are running in the Local
Zone. Any user who searched for the video in Skype with the same
keywords as in the title field, would have the attacker's code executing
in their browser with local zone privileges to their host machine (e.g.
applications on the victim's host system could be executed).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Ability to craft malicious scripts or find them elsewhere and ability
to identify functionality that is running web controls in the local zone
and to find an injection vector into that functionality
Resources Required
No specialized equipment is needed
Solutions and Mitigations
Disable script execution.
Ensure that sufficient input validation is performed for any potentially
untrusted data before it is used in any privileged context or zone
Limit the flow of untrusted data into the privileged areas of the system
that run in the higher trust zone
Limit the sites that are being added to the local machine zone and
restrict the privileges of the code running in that zone to the bare
minimum
Ensure proper HTML output encoding before writing user supplied data to
the page
An attacker is able to trick the victim into executing a Flash document
that passes commands or calls to a Flash player browser plugin, allowing the
attacker to exploit native Flash functionality in the client browser. This
attack pattern occurs where an attacker can provide a crafted link to a
Flash document (SWF file) which, when followed, will cause additional
malicious instructions to be executed. The attacker does not need to serve
or control the Flash document. The attack takes advantage of the fact that
Flash files can reference external URLs. If variables that serve as URLs
that the Flash application references can be controlled by through
parameters, then by creating a link that includes values for those
parameters, an attacker can cause arbitrary content to be referenced and
possibly executed by the targeted Flash application.
Attack Prerequisites
The targeted Flash application must reference external URLs and the
locations thus referenced must be controllable through parameters. The Flash
application must fail to sanitize such parameters against malicious
manipulation.
The victim must follow a crafted link created by the attacker.
Resources Required
The attacker must convince the victim to follow a crafted link to a vulnerable
Flash application.
An attacker distributes a link (or possibly some other query structure)
with a request to a third party web server that is malformed and also
contains a block of exploit code in order to have the exploit become live
code in the resulting error page. When the third party web server receives
the crafted request and notes the error it then creates an error message
that echoes the malformed message, including the exploit. Doing this
converts the exploit portion of the message into to valid language elements
that are executed by the viewing browser. When a victim executes the query
provided by the attacker the infected error message error message is
returned including the exploit code which then runs in the victim's browser.
XSS can result in execution of code as well as data leakage (e.g. session
cookies can be sent to the attacker). This type of attack is especially
dangerous since the exploit appears to come from the third party web server,
who the victim may trust and hence be more vulnerable to deception.
Attack Prerequisites
A third party web server which fails to adequately sanitize messages sent
in error pages.
The victim must be made to execute a query crafted by the attacker which
results in the infected error report.
The attacker uses an alternate form of a key word or command that results
in the same action as the primary form but which may not be caught by
filters. For example, many keywords are processed in a case insensitive
manner. If the site's web filtering algorithm does not convert all tags into
a consistent case before the comparison with forbidden keywords it is
possible to bypass filters by using an alternate case structure. For
example, the "script" tag using the alternate forms of "Script" or "ScRiPt"
may bypass filters where "script" is the only form tested. Other variants
using different syntax representations are also possible. The attack can
result in the execution of otherwise prohibited functionality.
Attack Prerequisites
The target web site must not adequately filter alternate syntax in web
input.
Resources Required
The attacker must trick the victim into following a crafted link to a
vulnerable server or view a web post where the dangerous commands are executed.
MHonArc 2.5.2 and earlier does not properly filter Javascript from
archived e-mail messages, which could allow remote attackers to execute
script in web clients by (1) splitting the SCRIPT tag into smaller
pieces, (2) including the script in a SRC argument to an IMG tag, or (3)
using "&={script}" syntax.
An attacker creates a file with scripting content but where the specified
MIME type of the file is such that scripting is not expected. Some browsers
will detect that the specified MIME type of the file does not match the
actual type of the content and will automatically switch to using an
interpreter for the real content type. If the browser does not invoke script
filters before doing this, the attacker's script may run on the target
unsanitized. For example, the MIME type text/plain may be used where the
actual content is text/javascript or text/html. Since text does not contain
scripting instructions, the stated MIME type would indicate that filtering
is unnecessary. However, if the target application subsequently determines
the file's real type and invokes the appropriate interpreter, scripted
content could be invoked. In another example, img tags in HTML content could
reference a renderable type file instead of an expected image file. The file
extension and MIME type can describe an image file, but the file content can
be text/javascript or text/html resulting in script execution. If the
browser assumes all references in img tags are images, and therefore do not
need to be filtered for scripts, this would bypass content filters. In a
cross-site scripting attack, the attacker tricks the victim into accessing a
URL that uploads a script file with an incorrectly specified MIME type. If
the victim's browser switches to the appropriate interpreter without
filtering, the attack will execute as a standard XSS attack, possibly
revealing the victim's cookies or executing arbitrary script in their
browser.
Attack Prerequisites
The victim must follow a crafted link that references a scripting file
that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting
file and invoke the appropriate script interpreter without first performing
filtering on the content.
Resources Required
The attacker must have the ability to source the file of the incorrect MIME
type containing a script.
Reliance on File Name or Extension of Externally-Supplied File
Targeted
Related Vulnerabilities
Vulnerability ID
Relationship
Description
CVE-2001-0999
Outlook Express 6.00 allows remote attackers to execute arbitrary
script by embedding SCRIPT tags in a message whose MIME content type is
text/plain, contrary to the expected behavior that text/plain messages
will not run script.
Cryptanalysis is a process of finding weaknesses in cryptographic
algorithms and using these weaknesses to decipher the ciphertext without
knowing the secret key (instance deduction). Sometimes the weakness is not
in the cryptographic algorithm itself, but rather in how it is applied that
makes cryptanalysis successful. An attacker may have other goals as well,
such as:
1. Total Break - Finding the secret key
2. Gobal Deduction - Finding a functionally equivalent algorithm for
encryption and decryption that does not require knowledge of the secret
key.
3. Information Deduction - Gaining some information about plaintexts
or ciphertexts that was not previously known
4. Distinguishing Algorithm - The attacker has the ability to
distinguish the output of the encryption (ciphertext) from a random
permutation of bits
The goal of the attacker performing cryptanalysis will depend on the
specific needs of the attacker in a given attack context. In most cases, if
cryptanalysis is successful at all, an attacker will not be able to go past
being able to deduce some information about the plaintext (goal 3). However,
that may be sufficient for an attacker, depending on the context.
Attack Execution Flow
An attacker discovers a weakness in the
cryptographic algorithm or a weakness in how it was
applied to a particular chunk of plaintext.
An attacker leverages the discovered weakness to
decrypt, partially decrypt or infer some information
about the contents of the encrypted message. All of
that is done without knowing the secret key.
Attack Prerequisites
The target software utilizes some sort fo cryptographic algorithm.
An underlying weaknesses exists either in the cryptographic algorithm used
or in the way that it was applied to a particular chunk of plaintext.
The encryption algorithm is known to the attacker.
An attacker has access to the ciphertext.
Typical Likelihood of Exploit
Likelihood: Very Low
Methods of Attack
Analysis
Brute Force
Examples-Instances
Description
A very easy to understand (but totally inapplicable to modern
cryptographic ciphers) example is a cryptanalysis technique called
frequency analysis that can be successfully applied to the very basic
classic encryption algorithms that performed monoalphabetic substitution
replacing each letter in the plaintext with its predetermined mapping
letter from the same alphabet. This was considered an improvement over a
more basic technique that would simply shift all of the letters of the
plaintext by some constant number of positions and replace the original
letters with the new letter with the resultant alphabet position. While
monoalphabetic substitution ciphers are resilient to blind brute force,
they can be broken easily with nothing more than a pen and paper.
Frequency analysis cryptanalysis uses the fact that natural language is
not random and monoalphabetic substitution does not hide the statistical
properties of the natural language. So if the letter "E" in an English
language occurs with a certain known frequency (about 12.7%), whatever
"E" was substituted with to get to the ciphertext, will occur with the
similar frequency. Having this frequency information allows the
cryptanalyst to quickly determine the substitutions and decipher the
ciphertext. Frequency analysis techniques are not applicable to modern
ciphers as they are all resilient to it (unless this is a very bad case
of a homegrown encryption algorithm). This example is just here to
illustrate a rudimentary example of cryptanalysis.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Cryptanalysis generally requires a very significant level of
understanding of mathematics and computation.
Resources Required
Computing resource requirements will vary based on the complexity of a given
cryptanalysis technique. Access to the encryption/decryption routines of the
algorithm is also required.
Solutions and Mitigations
Use proven cryptographic algorithms with recommended key sizes.
Ensure that the algorithms are used properly. That means:
1. Not rolling out your own crypto; Use proven algorithms and
implementations.
2. Choosing initialization vectors with sufficiently random
numbers
3. Generating key material using good sources of randomness and
avoiding known weak keys
4. Using proven protocols and their implementations.
5. Picking the most appropriate cryptographic algorithm for your usage
context and data
An attacker probes the target in a manner that is designed to solicit
information relevant to system security. This is achieved by sending data
that is syntactically invalid or non-standard relative to a given service,
protocol, or expected-input, or by exploring the target via ordinary
interactions for the purpose of gathering intelligence about the target. As
a result the attacker is able to obtain information from the target that
aids the attacker in making inferences about its security, configuration, or
potential vulnerabilities. Some exchanges witht the target may trigger
unhandled exceptions or verbose error messages. When this happens error
messages may reveal information like stack traces, configuration
information, path information, or database messages. This type of attack
also includes manipulation of query strings in a URI, such as by attemtping
to produce invalid SQL queries or by trying alternative path values, in the
hope that the server will return useful information. This attack differs
from Data Interception and other data collection attacks in that the
attacker actively queries the target rather than simply watching for the
target to reveal information.
Attack Prerequisites
Verbose error handling routines or components that provide the user
feedback related to system or application properties.
Resources Required
A web browser or a client application capable of sending custom protocol
messages, such as a MITM Proxy or a fuzzer, or a similar scanner or packet
injection tool.
An attacker monitors data streams to or from a target in order to gather
information. This attack may be undertaken to gather information to support
a later attack or the data collected may be the end goal of the attack. This
attack usually involves sniffing network traffic, but may include observing
other types of data streams, such as radio. In most varieties of this
attack, the attacker is passive and simply observes regular communication,
however in some variants the attacker may attempt to initiate the
establishment of a data stream or influence the nature of the data
transmitted. However, in all variants of this attack, and distinguishing
this attack from other data collection methods, the attacker is not the
intended recipient of the data stream. Unlike some other data leakage
attacks, the attacker is observing explicit data channels (e.g. network
traffic) and reading the content. This differs from attacks that collect
more qualitative information, such as communication volume, or other
information not explicitly communicated via a data stream.
Attack Prerequisites
All targets that transmit information over a network is potentially
vulnerable to this attack.
Resources Required
The attacker must have the necessary technology to intercept information
passing between the nodes of a network. For TCP/IP, the capability to run
tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted
the technological requirements will change.
An attacker searches a targeted web site for web pages that have not been
publicized. Generally this involves mapping the published web site by
spidering through all the published links and then attempt to access
well-known debugging or logging pages, or otherwise predictable pages within
the site tree. For example, if an attacker might be able to notice a pattern
in the naming of documents and extrapolate this pattern to discover
additional documents that have been created but are no longer externally
linked. Using this, the attacker may be able to gain access to information
that the targeted site did not intend to make public.
Attack Prerequisites
The targeted web site must include pages within its published tree that
are not connected to its tree of links. The sensitivity of the content of
these pages determines the severity of this attack.
Resources Required
Spidering tools to explore the target web site are extremely useful in this
attack especially when attacking large sites. Some tools might also be able to
automatically construct common page locations from known paths.
An attacker searches a targeted web site for web services that have not
been publicized. Generally this involves mapping the published web site by
spidering through all the published links and then attempt to access
well-known debugging or logging services, or otherwise predictable services
within the site tree. This attack can be especially dangerous since
unpublished but available services may not have adequate security controls
placed upon them given that an administrator may believe they are
unreachable.
Attack Prerequisites
The targeted web site must include unpublished services within its web
tree. The nature of these services determines the severity of this
attack.
Resources Required
Spidering tools to explore the target web site are extremely useful in this
attack especially when attacking large sites. Some tools might also be able to
automatically construct common service queries from known paths.
View Data
