New to CAPEC? Start Here
Home > CAPEC List > CAPEC-155: Screen Temporary Files for Sensitive Information (Version 3.9)  

CAPEC-155: Screen Temporary Files for Sensitive Information

Attack Pattern ID: 155
Abstraction: Detailed
View customized information:
+ Description
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.150Collect Data from Common Resource Locations
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.149Explore for Predictable Temporary File Names
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Look for temporary files in target application: An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.

  1. Attempt to read temporary files: An adversary will attempt to read any temporary files they may have discovered through normal means.

    Attempt to get the file by querying the file path to a web server
    Using a remote shell into an application, read temporary files and send out information remotely if necessary
    Recover temporary information from a user's browser cache
  1. Use function weaknesses to gain access to temporary files: If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.

    Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read.
    Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents.
+ Prerequisites
The target application must utilize temporary files and must fail to adequately secure them against other parties reading them.
+ Resources Required
Because some application may have a large number of temporary files and/or these temporary files may be very large, an adversary may need tools that help them quickly search these files for sensitive information. If the adversary can simply copy the files to another location and if the speed of the search is not important, the adversary can still perform the attack without any special resources.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required, Typical_Likelihood_of_Exploit
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018