New to CAPEC? Start Here
Home > CAPEC List > CAPEC-204: Lifting Sensitive Data Embedded in Cache (Version 3.9)  

CAPEC-204: Lifting Sensitive Data Embedded in Cache

Attack Pattern ID: 204
Abstraction: Detailed
View customized information:
+ Description
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.167White Box Reverse Engineering
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.560Use of Known Domain Credentials
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Identify Application Cache: An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.

    Use probing tools to look for application cache files on a machine.
    Use a web application and determine if any sensitive information is stored in browser cache.
  1. Attempt to Access Cache: Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.

    Use priviledge escalation to access cache files that might have strict privileges.
    If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.
  1. Lift Sensitive Data from Cache: After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.

    Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.
+ Prerequisites
The target application must store sensitive information in a cache.
The cache must be inadequately protected against attacker access.
+ Resources Required
The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1005Data from Local System
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Related_Weaknesses
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
(Version 2.7)
Lifting cached, sensitive data embedded in client distributions (thick or thin)
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018