Skip to content

Instantly share code, notes, and snippets.

@2xyo

2xyo/stix-capec-cut.json

Created April 15, 2020 13:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 2xyo/a8151a798798d66b981fde7a436e1576 to your computer and use it in GitHub Desktop.
Save 2xyo/a8151a798798d66b981fde7a436e1576 to your computer and use it in GitHub Desktop.
Download ZIP
stix-capec-cut.json
Raw
stix-capec-cut.json
{
"objects": [
{
"definition_type": "statement",
"definition": {
"statement": "CAPEC is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright \u00a9 2007 - 2017, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation."
},
"type": "marking-definition",
"id": "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d",
"created": "2019-10-11T00:37:51.719182Z"
},
{
"name": "The MITRE Corporation",
"identity_class": "organization",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "identity",
"id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2019-10-11T00:37:51.721Z",
"modified": "2019-10-11T00:37:51.721Z"
},
{
"name": "Accessing Functionality Not Properly Constrained by ACLs",
"description": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/1.html",
"external_id": "CAPEC-1"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/276.html",
"external_id": "CWE-276"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/721.html",
"external_id": "CWE-721"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/434.html",
"external_id": "CWE-434"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.",
"The various resources, or individual URLs, must be somehow discoverable by the attacker",
"The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource."
],
"x_capec_skills_required": {
"Low": "In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Gain Privileges"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"\n <xhtml:p>Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a \"Single front controller\" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.</xhtml:p>\n <xhtml:p>If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-1-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "\n <xhtml:p>In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.</xhtml:p>\n <xhtml:p>Having done so, any direct access to those protected Servlets will be prohibited by the web container.</xhtml:p>\n <xhtml:p>In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.</xhtml:p>\n ",
"type": "course-of-action",
"id": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--c796a053-8016-4098-9d01-e680e042cb24",
"source_ref": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b"
},
{
"name": "Buffer Overflow via Environment Variables",
"description": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/10.html",
"external_id": "CAPEC-10"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/120.html",
"external_id": "CWE-120"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/302.html",
"external_id": "CWE-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/118.html",
"external_id": "CWE-118"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/119.html",
"external_id": "CWE-119"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/99.html",
"external_id": "CWE-99"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/680.html",
"external_id": "CWE-680"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/733.html",
"external_id": "CWE-733"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/697.html",
"external_id": "CWE-697"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "Sharefuzz",
"url": "http://sharefuzz.sourceforge.net",
"external_id": "REF-2"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The application uses environment variables.",
"An environment variable exposed to the user is vulnerable to a buffer overflow.",
"The vulnerable environment variable uses untrusted data.",
"Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer."
],
"x_capec_skills_required": {
"Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS.",
"High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level."
},
"x_capec_consequences": {
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Read Data",
"Gain Privileges"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Buffer Overflow in $HOME</xhtml:div>\n <xhtml:p>A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.</xhtml:p>See also: CVE-1999-0906",
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Buffer Overflow in TERM</xhtml:div>\n <xhtml:p>A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.</xhtml:p>See also: CVE-1999-0046"
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-10-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Do not expose environment variable to the user.",
"type": "course-of-action",
"id": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--6afe60c3-f515-4128-a724-0989e27e5bb0",
"source_ref": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-10-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Do not use untrusted data in your environment variables.",
"type": "course-of-action",
"id": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--371669b4-ddf9-41df-b755-093aa08a1c2d",
"source_ref": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-10-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use a language or compiler that performs automatic bounds checking",
"type": "course-of-action",
"id": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--5981e722-08a7-4513-8c85-f487b377ebfb",
"source_ref": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-10-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.",
"type": "course-of-action",
"id": "course-of-action--526697ed-fd20-4c98-9fd0-c49c461c58b4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--6202ba3b-958f-43a0-9523-dce46698f31f",
"source_ref": "course-of-action--526697ed-fd20-4c98-9fd0-c49c461c58b4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e"
},
{
"name": "Overflow Buffers",
"description": "Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/100.html",
"external_id": "CAPEC-100"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/120.html",
"external_id": "CWE-120"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/119.html",
"external_id": "CWE-119"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/131.html",
"external_id": "CWE-131"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/129.html",
"external_id": "CWE-129"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/805.html",
"external_id": "CWE-805"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/19.html",
"external_id": "CWE-19"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/680.html",
"external_id": "CWE-680"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"Targeted software performs buffer operations.",
"Targeted software inadequately performs bounds-checking on buffer operations.",
"Adversary has the capability to influence the input to buffer operations."
],
"x_capec_skills_required": {
"Low": "In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content.",
"High": "In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system."
],
"x_capec_consequences": {
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.",
"Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use a language or compiler that performs automatic bounds checking.",
"type": "course-of-action",
"id": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--cedea035-6835-4307-a59b-acd58ec23ecd",
"source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use secure functions not vulnerable to buffer overflow.",
"type": "course-of-action",
"id": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--394fe1bb-8b4d-4638-b4e8-2a5719efe438",
"source_ref": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "If you have to use dangerous functions, make sure that you do boundary checking.",
"type": "course-of-action",
"id": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--774c708f-2480-4cee-8e04-c42d603760e8",
"source_ref": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
"type": "course-of-action",
"id": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--d04362e0-439c-40a1-bfa2-cbddb7b33bbd",
"source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-4",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use OS-level preventative functionality. Not a complete solution.",
"type": "course-of-action",
"id": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--7aae34f4-823f-43ac-90e9-fa33251c4236",
"source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-100-5",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.",
"type": "course-of-action",
"id": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--7f190864-e6a8-45f8-af58-75124f4f4914",
"source_ref": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76"
},
{
"name": "Server Side Include (SSI) Injection",
"description": "An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/101.html",
"external_id": "CAPEC-101"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/97.html",
"external_id": "CWE-97"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/713.html",
"external_id": "CWE-713"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"A web server that supports server side includes and has them enabled",
"User controllable input that can carry include directives to the web server"
],
"x_capec_skills_required": {
"Medium": "The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the \"Options Includes\" directive enabled.</xhtml:p>\n <xhtml:p>Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.</xhtml:p>\n <xhtml:p>When these logs are eventually reviewed, the server parses the SSI directives and executes them.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-101-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them",
"type": "course-of-action",
"id": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--3428ab3f-34a5-436a-98f2-9be0a5397f94",
"source_ref": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-101-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive",
"type": "course-of-action",
"id": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--6c9bb040-3574-49f1-bec3-723afe52faa1",
"source_ref": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-101-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead",
"type": "course-of-action",
"id": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--c92c5203-00ee-424c-a58b-d36d36695f03",
"source_ref": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656"
},
{
"name": "Session Sidejacking",
"description": "Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/102.html",
"external_id": "CAPEC-102"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/294.html",
"external_id": "CWE-294"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/523.html",
"external_id": "CWE-523"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/319.html",
"external_id": "CWE-319"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/614.html",
"external_id": "CWE-614"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"An attacker and the victim are both using the same WiFi network.",
"The victim has an active session with a target system.",
"The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)",
"The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically \"rings home\" asynchronously using the session token"
],
"x_capec_skills_required": {
"Low": "Easy to use tools exist to automate this attack."
},
"x_capec_resources_required": [
"A packet sniffing tool, such as wireshark, can be used to capture session information."
],
"x_capec_consequences": {
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Integrity": [
"Modify Data"
],
"Availability": [
"Unreliable Execution"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, he has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but his e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-102-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.",
"type": "course-of-action",
"id": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--5b42f764-6aa4-4c32-a752-c814178db08c",
"source_ref": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-102-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.",
"type": "course-of-action",
"id": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--66376c3d-cedd-4a2e-9fd6-1737edda9a5e",
"source_ref": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520"
},
{
"name": "Clickjacking",
"description": "In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different system. While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/103.html",
"external_id": "CAPEC-103"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1021.html",
"external_id": "CWE-1021"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The victim is communicating with the target application via a web based UI and not a thick client",
"The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.",
"The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)",
"The victim has an active session with the target system.",
"The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system"
],
"x_capec_skills_required": {
"High": "Crafting the proper malicious site and luring the victim to this site are not trivial tasks."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Integrity": [
"Modify Data"
],
"Availability": [
"Unreliable Execution"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"\n <xhtml:p>A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which he or she subscribes with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.</xhtml:p>\n <xhtml:p>In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-103-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.",
"type": "course-of-action",
"id": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--0e9b7917-b0c4-4461-93c3-7c9623a1eca8",
"source_ref": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-103-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Turn off JavaScript, Flash and disable CSS.",
"type": "course-of-action",
"id": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--2c711dc9-c190-43bc-a5e0-02855f1b48e5",
"source_ref": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-103-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.",
"type": "course-of-action",
"id": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--591f6f0b-24c7-4594-9450-5a3ca2a41ad7",
"source_ref": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef"
},
{
"name": "Cross Zone Scripting",
"description": "An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from \"Restful Privilege Escalation\" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/104.html",
"external_id": "CAPEC-104"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/250.html",
"external_id": "CWE-250"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/638.html",
"external_id": "CWE-638"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/116.html",
"external_id": "CWE-116"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The target must be using a zone-aware browser."
],
"x_capec_skills_required": {
"Medium": "Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the \"add video to chat\" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. \"Add video to chat\" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed)."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-104-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Disable script execution.",
"type": "course-of-action",
"id": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--d53f8236-31b6-44ef-9829-434ecc01751b",
"source_ref": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-104-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone",
"type": "course-of-action",
"id": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--9a5924dc-2691-401b-b498-a96e19330e3f",
"source_ref": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-104-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone",
"type": "course-of-action",
"id": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ddbbaa85-70d2-430f-b63f-f76eff819192",
"source_ref": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-104-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum",
"type": "course-of-action",
"id": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--aa57cebd-a942-48ea-8782-ade74acdbddb",
"source_ref": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-104-4",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure proper HTML output encoding before writing user supplied data to the page",
"type": "course-of-action",
"id": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--a223d161-4991-4c87-8118-ea0ee66f9f31",
"source_ref": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f"
},
{
"name": "HTTP Request Splitting",
"description": "HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a \"Transfer Encoding: chunked\" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the \"Double CR in an HTTP header\" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/105.html",
"external_id": "CAPEC-105"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/436.html",
"external_id": "CWE-436"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/444.html",
"external_id": "CWE-444"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"User-manipulateable HTTP Request headers are processed by the web server"
],
"x_capec_skills_required": {
"Medium": "Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers"
},
"x_capec_resources_required": [
"A tool that allows for the sending of customized HTTP requests is required."
],
"x_capec_consequences": {
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"\n <xhtml:p>Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.</xhtml:p>\n <xhtml:p>The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.</xhtml:p>\n <xhtml:p>Microsoft has confirmed the vulnerability and released software updates</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-105-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Make sure to install the latest vendor security patches available for the web server.",
"type": "course-of-action",
"id": "course-of-action--99f2a8e7-ce13-4a20-90e8-bd150addaad1"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--dabed13d-56ed-49cc-9f46-1cc36ad02bd9",
"source_ref": "course-of-action--99f2a8e7-ce13-4a20-90e8-bd150addaad1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-105-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "If possible, make use of SSL.",
"type": "course-of-action",
"id": "course-of-action--ebe78a82-c97a-4982-bd59-9b046e1667e8"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ac48e32e-668e-4b33-bb44-bcda677a930a",
"source_ref": "course-of-action--ebe78a82-c97a-4982-bd59-9b046e1667e8",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-105-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Install a web application firewall that has been secured against HTTP Request Splitting",
"type": "course-of-action",
"id": "course-of-action--e121a786-d40c-4584-9cb6-321d37b5744d"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--a4412394-bce0-4a6b-8dd1-7d943d1aa391",
"source_ref": "course-of-action--e121a786-d40c-4584-9cb6-321d37b5744d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-105-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use web servers that employ a tight HTTP parsing process",
"type": "course-of-action",
"id": "course-of-action--d2c5ef6f-e750-43e7-81a1-cf8e5cd4d0a5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ad3c7f04-99ab-4e38-ab1f-26c519b14a20",
"source_ref": "course-of-action--d2c5ef6f-e750-43e7-81a1-cf8e5cd4d0a5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e"
},
{
"name": "DEPRECATED: XSS through Log Files",
"description": "This attack pattern has been deprecated as it referes to an existing chain relationship between \"CAPEC-93 : Log Injection-Tampering-Forging\" and \"CAPEC-63 : Cross-Site Scripting\". Please refer to these CAPECs going forward.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/106.html",
"external_id": "CAPEC-106"
}
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--87829d14-eece-4fa3-b36f-54cc3b2262ae"
},
{
"name": "Cross Site Tracing",
"description": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The adversary first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the \"document.cookie\" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/107.html",
"external_id": "CAPEC-107"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/648.html",
"external_id": "CWE-648"
},
{
"source_name": "reference_from_CAPEC",
"description": "Jeremiah Grossman, Cross-Site Tracing (XST), 2003, WhiteHat Security",
"url": "http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf",
"external_id": "REF-3"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"HTTP TRACE is enabled on the web server",
"The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy",
"Scripting is enabled in the client's browser",
"HTTP is used as the communication protocol between the server and the client"
],
"x_capec_skills_required": {
"Medium": "Understanding of the HTTP protocol and an ability to craft a malicious script"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Gain Privileges"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-107-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.",
"type": "course-of-action",
"id": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--92929267-6931-47a1-b4dd-3fd1d012b7cf",
"source_ref": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-107-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Patch web browser against known security origin policy bypass exploits.",
"type": "course-of-action",
"id": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--eb4b5528-6e2e-4670-bfd3-983606f61020",
"source_ref": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f"
},
{
"name": "Command Line Execution through SQL Injection",
"description": "An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/108.html",
"external_id": "CAPEC-108"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/89.html",
"external_id": "CWE-89"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/78.html",
"external_id": "CWE-78"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/114.html",
"external_id": "CWE-114"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"The application does not properly validate data before storing in the database",
"Backend application implicitly trusts the data stored in the database",
"Malicious data is used on the backend as a command line argument"
],
"x_capec_skills_required": {
"High": "The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).</xhtml:p>\n <xhtml:p>Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6799</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-108-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Disable MSSQL xp_cmdshell directive on the database",
"type": "course-of-action",
"id": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--bb697224-7fb5-464b-bb81-e9cc28732c2d",
"source_ref": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-108-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Properly validate the data (syntactically and semantically) before writing it to the database.",
"type": "course-of-action",
"id": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc",
"source_ref": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-108-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).",
"type": "course-of-action",
"id": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--74092c9d-86c1-49c6-82cc-08e4da29ea92",
"source_ref": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369"
},
{
"name": "Object Relational Mapping Injection",
"description": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/109.html",
"external_id": "CAPEC-109"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/100.html",
"external_id": "CWE-100"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/89.html",
"external_id": "CWE-89"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/564.html",
"external_id": "CWE-564"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/Testing_for_ORM_Injection",
"external_id": "REF-4"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"An application uses data access layer generated by an ORM tool or framework",
"An application uses user supplied data in queries executed against the database",
"The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework"
],
"x_capec_skills_required": {
"Medium": "Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-109-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework",
"type": "course-of-action",
"id": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--44a7c013-8531-4a05-b8fc-d49a59a09123",
"source_ref": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-109-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure to keep up to date with security relevant updates to the persistence framework used within your application.",
"type": "course-of-action",
"id": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--d021b9f3-7bd8-4d7c-8e30-933d2cff35f6",
"source_ref": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45"
},
{
"name": "Cause Web Server Misclassification",
"description": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/11.html",
"external_id": "CAPEC-11"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/430.html",
"external_id": "CWE-430"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204), SecurityFocus",
"url": "http://www.securityfocus.com/bid/17204/info",
"external_id": "REF-6"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"Web server software must rely on file name or file extension for processing.",
"The attacker must be able to make HTTP requests to the web server."
],
"x_capec_skills_required": {
"Low": "To modify file name or file extension",
"Medium": "To use misclassification to force the Web server to disclose configuration information, source, or binary data"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Gain Privileges"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://victim.site/login.jsp.</xhtml:div>\n <xhtml:p>Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.</xhtml:p>\n <xhtml:p>[R.11.2]</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-11-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Server routines should be determined by content not determined by filename or file extension.",
"type": "course-of-action",
"id": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--22b26b12-1eff-40ab-95ab-8de26f22b487",
"source_ref": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523"
},
{
"name": "SQL Injection through SOAP Parameter Tampering",
"description": "An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/110.html",
"external_id": "CAPEC-110"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/89.html",
"external_id": "CWE-89"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"SOAP messages are used as a communication mechanism in the system",
"SOAP parameters are not properly validated at the service provider",
"The service provider does not properly utilize parameter binding when building SQL queries"
],
"x_capec_skills_required": {
"Medium": "If the attacker is able to gain good understanding of the system's database schema",
"High": "If the attacker has to perform SQL injection blindly"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. He notices that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies his payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-110-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Properly validate and sanitize/reject user input at the service provider.",
"type": "course-of-action",
"id": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--a3a9b355-487c-4cfd-904c-055007648f78",
"source_ref": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-110-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.",
"type": "course-of-action",
"id": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ecba2a2e-f73d-4937-9f4e-d8650932e41a",
"source_ref": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-110-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.",
"type": "course-of-action",
"id": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--c0ab5963-a4b2-4dab-aeee-924ec742c54a",
"source_ref": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a"
},
{
"name": "JSON Hijacking (aka JavaScript Hijacking)",
"description": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/111.html",
"external_id": "CAPEC-111"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/345.html",
"external_id": "CWE-345"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/346.html",
"external_id": "CWE-346"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/352.html",
"external_id": "CWE-352"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"JSON is used as a transport mechanism between the client and the server",
"The target server cannot differentiate real requests from forged requests",
"The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag"
],
"x_capec_skills_required": {
"Medium": "Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"\n <xhtml:p>Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when he or she receives it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.</xhtml:p>\n <xhtml:p>When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-111-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.",
"type": "course-of-action",
"id": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--739ac6c9-0bf4-4b2b-80c8-407013b2e9fa",
"source_ref": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-111-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).",
"type": "course-of-action",
"id": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5",
"source_ref": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-111-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.",
"type": "course-of-action",
"id": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ce344fe2-2f03-491f-a465-a5e7578ca3aa",
"source_ref": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-111-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.",
"type": "course-of-action",
"id": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ccdf4c19-dc2a-46b4-b444-b78da5d0300f",
"source_ref": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5"
},
{
"name": "Brute Force",
"description": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/112.html",
"external_id": "CAPEC-112"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/330.html",
"external_id": "CWE-330"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/326.html",
"external_id": "CWE-326"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/521.html",
"external_id": "CWE-521"
}
],
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct."
],
"x_capec_skills_required": {
"Low": "The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Gain Privileges"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-112-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.",
"type": "course-of-action",
"id": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--cc237ef1-9283-4680-b8d0-9ef4a0cf8147",
"source_ref": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-112-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.",
"type": "course-of-action",
"id": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--720b2d97-9125-482c-b7b3-c17acce30c06",
"source_ref": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1"
},
{
"name": "API Manipulation",
"description": "An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API. API manipulation can take on a number of forms including forcing the unexpected use of an API, or the use of an API in an unintended way. For example, an adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/113.html",
"external_id": "CAPEC-113"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/227.html",
"external_id": "CWE-227"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target system must expose API functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges."
],
"x_capec_resources_required": [
"The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91"
},
{
"name": "Authentication Abuse",
"description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/114.html",
"external_id": "CAPEC-114"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way."
],
"x_capec_resources_required": [
"A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03"
},
{
"name": "Authentication Bypass",
"description": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/115.html",
"external_id": "CAPEC-115"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc."
],
"x_capec_resources_required": [
"A client application, such as a web browser, or a scripting language capable of interacting with the target."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a"
},
{
"name": "Excavation",
"description": "An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/116.html",
"external_id": "CAPEC-116"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"An adversary requires some way of interacting with the system."
],
"x_capec_resources_required": [
"A tool, such as a MITM Proxy or a fuzzer, that is capable of generating and injecting custom inputs to be used in the attack."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "coa-116-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Minimize error/response output to only what is necessary for functional use or corrective language.",
"type": "course-of-action",
"id": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8",
"source_ref": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "coa-116-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Remove potentially sensitive information that is not necessary for the application's functionality.",
"type": "course-of-action",
"id": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--1a976d5b-38ec-4508-8329-3a6a82d44d97",
"source_ref": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6"
},
{
"name": "Interception",
"description": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position himself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Man-In-the-Middle (MITM) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/117.html",
"external_id": "CAPEC-117"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/319.html",
"external_id": "CWE-319"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target must transmit data over a medium that is accessible to the adversary."
],
"x_capec_resources_required": [
"The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-117-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.",
"type": "course-of-action",
"id": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--859073fb-487f-4a31-b50e-4cceb762f731",
"source_ref": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e"
},
{
"name": "Choosing Message Identifier",
"description": "This pattern of attack is defined by the selection of messages distributed over via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-12-07T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/12.html",
"external_id": "CAPEC-12"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/201.html",
"external_id": "CWE-201"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/306.html",
"external_id": "CWE-306"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.",
"Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves."
],
"x_capec_skills_required": {
"Low": "All the attacker needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages."
},
"x_capec_resources_required": [
"The Attacker needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Gain Privileges"
],
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single \"Partners\" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Attackers having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows Attackers without partner status from conducting this attack."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-12-07T00:00:00.000Z",
"name": "coa-12-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "\n <xhtml:p>Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.</xhtml:p>\n <xhtml:p>The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.</xhtml:p>\n ",
"type": "course-of-action",
"id": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-12-07T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--3057788f-a10c-42ba-86f8-673bdaa92ba0",
"source_ref": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-12-07T00:00:00.000Z",
"name": "coa-12-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.",
"type": "course-of-action",
"id": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-12-07T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--8d1d83e8-400f-438d-a941-c0692758395f",
"source_ref": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e"
},
{
"name": "Double Encoding",
"description": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/120.html",
"external_id": "CAPEC-120"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/173.html",
"external_id": "CWE-173"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/172.html",
"external_id": "CWE-172"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/177.html",
"external_id": "CWE-177"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/181.html",
"external_id": "CWE-181"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/171.html",
"external_id": "CWE-171"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/183.html",
"external_id": "CWE-183"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/184.html",
"external_id": "CWE-184"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/21.html",
"external_id": "CWE-21"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/697.html",
"external_id": "CWE-697"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/692.html",
"external_id": "CWE-692"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.",
"The application accepts and decodes URL string request.",
"The application performs insufficient filtering/canonicalization on the URLs."
],
"x_capec_resources_required": [
"Tools that automate encoding of data can assist the adversary in generating encoded strings."
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">%253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E</xhtml:div>\n <xhtml:p>Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system. Test your decoding process against malicious input.",
"type": "course-of-action",
"id": "course-of-action--c78bca10-c532-42ea-a5b0-cf7e8d7b5979"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--29d639c4-120e-4e3b-95df-39fa37910a0d",
"source_ref": "course-of-action--c78bca10-c532-42ea-a5b0-cf7e8d7b5979",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.",
"type": "course-of-action",
"id": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--cfa73c3f-86a6-476f-aab5-335c5f41f2ac",
"source_ref": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
"type": "course-of-action",
"id": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--6e482c72-7993-4ddf-8fca-22de8312c642",
"source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.",
"type": "course-of-action",
"id": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--ba444e1f-3d84-4501-b9c6-09b06a824f96",
"source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-4",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Refer to the RFCs to safely decode URL.",
"type": "course-of-action",
"id": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--11ad9490-5c2d-4430-8ecc-b0740ebc3c54",
"source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-5",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.",
"type": "course-of-action",
"id": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--0f1b0725-8a4f-49f1-9954-eb67b0182990",
"source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-120-6",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).",
"type": "course-of-action",
"id": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--be25410a-e03c-4307-88da-60d4e71e7f4d",
"source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9"
},
{
"name": "Exploit Test APIs",
"description": "An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/121.html",
"external_id": "CAPEC-121"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/489.html",
"external_id": "CWE-489"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The target must have installed test APIs and failed to secure or remove them when brought into a production environment."
],
"x_capec_resources_required": [
"For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs."
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-121-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that production systems to not contain sample or test APIs and that these APIs are only used in development environments.",
"type": "course-of-action",
"id": "course-of-action--1c68f1f0-fb2a-40e8-b16b-af29bab8ed16"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--45c65d29-ef85-4224-b58d-e3c7ba80fa6a",
"source_ref": "course-of-action--1c68f1f0-fb2a-40e8-b16b-af29bab8ed16",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd"
},
{
"name": "Privilege Abuse",
"description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/122.html",
"external_id": "CAPEC-122"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/269.html",
"external_id": "CWE-269"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.",
"The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. The ability to access the target is required."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871"
},
{
"name": "Buffer Manipulation",
"description": "An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/123.html",
"external_id": "CAPEC-123"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/119.html",
"external_id": "CWE-119"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction."
],
"x_capec_consequences": {
"Availability": [
"Unreliable Execution (A buffer manipulation attack often results in a crash of the application due to the corruption of memory.)"
],
"Confidentiality": [
"Execute Unauthorized Commands (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)",
"Modify Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)",
"Read Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-123-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.",
"type": "course-of-action",
"id": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--b2e47286-34b7-484e-a95b-67f1b21ae24b",
"source_ref": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36"
},
{
"name": "Shared Data Manipulation",
"description": "An adversary exploits a data structure shared between multiple applications or an application pool to affect application behavior. Data may be shared between multiple applications or between multiple threads of a single application. Data sharing is usually accomplished through mutual access to a single memory location. If an adversary can manipulate this shared data (usually by co-opting one of the applications or threads) the other applications or threads using the shared data will often continue to trust the validity of the compromised shared data and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared data, or even cause a crash or compromise of the sharing applications.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/124.html",
"external_id": "CAPEC-124"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target applications (or target application threads) must share data between themselves.",
"The adversary must be able to manipulate some piece of the shared data either directly or indirectly and the other users of the data must accept the changed data as valid. Usually this requires that the adversary be able to compromise one of the sharing applications or threads in order to manipulate the shared data."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947"
},
{
"name": "Flooding",
"description": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/125.html",
"external_id": "CAPEC-125"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"Any target that services requests is vulnerable to this attack on some level of scale."
],
"x_capec_resources_required": [
"A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests."
],
"x_capec_consequences": {
"Availability": [
"Unreliable Execution (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)",
"Resource Consumption (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "coa-125-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Ensure that protocols have specific limits of scale configured.",
"type": "course-of-action",
"id": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--22178117-f064-4303-8985-7fd9ee2fe9d8",
"source_ref": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "coa-125-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.",
"type": "course-of-action",
"id": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--f0a57d15-98a3-44ab-9dee-7451762bc00b",
"source_ref": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "coa-125-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.",
"type": "course-of-action",
"id": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--22e10e44-9d16-4de8-9376-289ccde29247",
"source_ref": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed"
},
{
"name": "Path Traversal",
"description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/126.html",
"external_id": "CAPEC-126"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/22.html",
"external_id": "CWE-22"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)",
"url": "https://www.owasp.org/index.php/Path_Traversal",
"external_id": "REF-8"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Testing Guide (v3), 2010, The Open Web Application Security Project (OWASP)",
"url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)",
"external_id": "REF-9"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal",
"external_id": "REF-10"
}
],
"x_capec_alternate_terms": [
"Directory Traversal"
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"The attacker must be able to control the path that is requested of the target.",
"The target must fail to adequately sanitize incoming paths"
],
"x_capec_skills_required": {
"Low": "Simple command line attacks or to inject the malicious payload in a web page.",
"Medium": "Customizing attacks to bypass non trivial filters in the application."
},
"x_capec_resources_required": [
"The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application."
],
"x_capec_consequences": {
"Integrity": [
"Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
"Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)"
],
"Confidentiality": [
"Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
"Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)"
],
"Availability": [
"Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
"Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"\n <xhtml:p>An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">http://example/../../../../../etc/passwd</xhtml:div>\n <xhtml:p>From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Configure the access control correctly.",
"type": "course-of-action",
"id": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--990d82cc-54c9-4536-8db1-9e1e4d3c1162",
"source_ref": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Enforce principle of least privilege.",
"type": "course-of-action",
"id": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--fc0b9ea2-577b-4cae-a52b-606ae9ea8f84",
"source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.",
"type": "course-of-action",
"id": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--594c4c5a-1764-41b8-91aa-dc032c6ae92a",
"source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.",
"type": "course-of-action",
"id": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--f114c5f3-cfbd-4300-b255-e4bfeb5672be",
"source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-4",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.",
"type": "course-of-action",
"id": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--9efb30cd-a0e5-4666-998f-c9119096f678",
"source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-5",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.",
"type": "course-of-action",
"id": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--2aeb9107-ab93-4c87-b9c5-a7eabd78976b",
"source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-6",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.",
"type": "course-of-action",
"id": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--f7a2a574-4587-4e1f-83a1-69fa413c6fbb",
"source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-7",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Perform input validation for all remote content, including remote and user-generated content.",
"type": "course-of-action",
"id": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--a6a7d0d3-2377-4fba-ba62-ba4c605a8206",
"source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-8",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.",
"type": "course-of-action",
"id": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--99e79d18-12bf-4362-a63b-bbc4e4c958a5",
"source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-9",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Use indirect references rather than actual file names.",
"type": "course-of-action",
"id": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--233f668e-d39a-47dd-8b8e-51d1e88576f6",
"source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-10",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Use possible permissions on file access when developing and deploying web applications.",
"type": "course-of-action",
"id": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2",
"source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"name": "coa-126-11",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- whitelisting approach.",
"type": "course-of-action",
"id": "course-of-action--34712533-4c5c-45f0-bd17-87400d79a1a9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-01-09T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--e3ee5696-edb3-4ec9-a141-395f16e9f36d",
"source_ref": "course-of-action--34712533-4c5c-45f0-bd17-87400d79a1a9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
},
{
"name": "Directory Indexing",
"description": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/127.html",
"external_id": "CAPEC-127"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/424.html",
"external_id": "CWE-424"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/425.html",
"external_id": "CWE-425"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/288.html",
"external_id": "CWE-288"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/276.html",
"external_id": "CWE-276"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/721.html",
"external_id": "CWE-721"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/Directory-Indexing",
"external_id": "REF-11"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.",
"The adversary must be able to control the path that is requested of the target.",
"The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.",
"The server version or patch level must not inherently prevent known directory listing attacks from working."
],
"x_capec_skills_required": {
"Low": "To issue the request to URL without given a specific file name",
"High": "To bypass the access control of the directory of listings"
},
"x_capec_resources_required": [
"Ability to send HTTP requests to a web application."
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data (Information Leakage)"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>The adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80</xhtml:p>\n <xhtml:p>The target application does not have direct hyperlink to the \"backup\" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a \"db_dump.php\" file in it. This sensitive data should not be disclosed publicly.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-127-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.",
"type": "course-of-action",
"id": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--1d386aba-01fb-4a86-8b95-a4778cf497ab",
"source_ref": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-127-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\".",
"type": "course-of-action",
"id": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--665bc535-a6b1-48ea-9fd2-4cda3661f872",
"source_ref": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "coa-127-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message.",
"type": "course-of-action",
"id": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--c93af142-fad4-470f-ab94-e6b35f993234",
"source_ref": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38"
},
{
"name": "Integer Attacks",
"description": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/128.html",
"external_id": "CAPEC-128"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/682.html",
"external_id": "CWE-682"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.",
"The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--1f3b920a-a706-494c-9486-69531a514912"
},
{
"name": "Pointer Manipulation",
"description": "This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/129.html",
"external_id": "CAPEC-129"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/682.html",
"external_id": "CWE-682"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/822.html",
"external_id": "CWE-822"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/823.html",
"external_id": "CWE-823"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target application must have a pointer variable that the attacker can influence to hold an arbitrary value."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--6295b7e2-98e9-4fc8-acbf-99769cb3cdf0"
},
{
"name": "Subverting Environment Variable Values",
"description": "The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/13.html",
"external_id": "CAPEC-13"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/353.html",
"external_id": "CWE-353"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/302.html",
"external_id": "CWE-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/15.html",
"external_id": "CWE-15"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/73.html",
"external_id": "CWE-73"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"An environment variable is accessible to the user.",
"An environment variable used by the application can be tainted with user supplied data.",
"Input data used in an environment variable is not validated properly.",
"The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an attacker may attempt to manipulate that variable."
],
"x_capec_skills_required": {
"Low": "In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.",
"High": "Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it."
},
"x_capec_consequences": {
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Bypass Protection Mechanism",
"Read Data"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Unreliable Execution"
],
"Access_Control": [
"Bypass Protection Mechanism"
],
"Authorization": [
"Bypass Protection Mechanism"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the attacker upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\\\172.16.2.100\\shared_files\\trojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)",
"The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands."
],
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-13-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Protect environment variables against unauthorized read and write access.",
"type": "course-of-action",
"id": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--e351819c-a8ce-4628-bc2d-fe25172f524f",
"source_ref": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-13-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Protect the configuration files which contain environment variables against illegitimate read and write access.",
"type": "course-of-action",
"id": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--f927e9e7-a3c2-4e14-8da4-37711f2f0161",
"source_ref": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-13-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should not be permitted to enter into the system.",
"type": "course-of-action",
"id": "course-of-action--6e1f571f-420f-43a6-aaf3-cc53394f7b97"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--314c2112-f10b-48fd-b1d8-b85dbdfd5439",
"source_ref": "course-of-action--6e1f571f-420f-43a6-aaf3-cc53394f7b97",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-13-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.",
"type": "course-of-action",
"id": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--36c8f1a2-fc68-4417-ba38-adaa3e68a90d",
"source_ref": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed"
},
{
"name": "Excessive Allocation",
"description": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/130.html",
"external_id": "CAPEC-130"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Availability": [
"Resource Consumption (A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.)"
]
},
"x_capec_abstraction": "Meta",
"x_capec_example_instances": [
"In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target."
],
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-130-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Limit the amount of resources that are accessible to unprivileged users.",
"type": "course-of-action",
"id": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6",
"source_ref": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-130-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Assume all input is malicious. Consider all potentially relevant properties when validating input.",
"type": "course-of-action",
"id": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--282aa96a-4a57-42b1-826a-e6e4abbd87db",
"source_ref": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-130-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.",
"type": "course-of-action",
"id": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--51e066b9-7488-4231-91fa-099bbb87c489",
"source_ref": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-130-3",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use resource-limiting settings, if possible.",
"type": "course-of-action",
"id": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--98433369-590b-48b9-a19e-d159dde960e1",
"source_ref": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
},
{
"name": "Resource Leak Exposure",
"description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/131.html",
"external_id": "CAPEC-131"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target must have a resource leak that the adversary can repeatedly trigger."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Availability": [
"Unreliable Execution (A successful resource leak exposure attack compromises the availability of the target system's services.)",
"Resource Consumption (A successful resource leak exposure attack compromises the availability of the target system's services.)"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-131-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).",
"type": "course-of-action",
"id": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--adc4413e-bddd-423e-ba63-df78f79cc02f",
"source_ref": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-131-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)",
"type": "course-of-action",
"id": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8",
"source_ref": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "coa-131-2",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.",
"type": "course-of-action",
"id": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--dbe99895-80e2-48af-966a-55f26aadd3d5",
"source_ref": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113"
},
{
"name": "Symlink Attack",
"description": "An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/132.html",
"external_id": "CAPEC-132"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/59.html",
"external_id": "CWE-59"
},
{
"source_name": "reference_from_CAPEC",
"description": "Shaun Colley, Crafting Symlinks for Fun and Profit",
"url": "http://www.infosecwriters.com/texts.php?op=display&id=159",
"external_id": "REF-13"
}
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The attacker must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear."
],
"x_capec_skills_required": {
"Low": "To create symlinks",
"High": "To identify the files and create the symlinks during the file operation time window"
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link."
],
"x_capec_consequences": {
"Confidentiality": [
"Other (Information Leakage)",
"Read Data"
],
"Integrity": [
"Modify Data",
"Modify Data"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Non-Repudiation": [
"Gain Privileges"
],
"Access_Control": [
"Bypass Protection Mechanism"
],
"Availability": [
"Unreliable Execution"
]
},
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"\n <xhtml:p>The attacker creates a symlink with the \"same\" name as the file which the application is intending to write to. The application will write to the file- \"causing the data to be written where the symlink is pointing\". An attack like this can be demonstrated as follows:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">root# vulprog myFile<xhtml:div>\n <xhtml:i>{...program does some processing...]</xhtml:i>\n </xhtml:div>\n attacker# ln \u2013s /etc/nologin myFile<xhtml:div>\n <xhtml:i>[...program writes to 'myFile', which points to /etc/nologin...]</xhtml:i>\n </xhtml:div>\n </xhtml:div>\n <xhtml:p>In the above example, the root user ran a program with poorly written file handling routines, providing the filename \"myFile\" to vulnprog for the relevant data to be written to. However, the attacker happened to be looking over the shoulder of \"root\" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.</xhtml:p>\n "
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-132-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.",
"type": "course-of-action",
"id": "course-of-action--f5210720-4324-4516-a229-f892a14476e3"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--a8e73cf8-4cb5-4ae9-9a70-c2ebefdf62fc",
"source_ref": "course-of-action--f5210720-4324-4516-a229-f892a14476e3",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-132-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.",
"type": "course-of-action",
"id": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--9cf8f1cf-51b6-4745-843d-2b4655e99ce6",
"source_ref": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65"
},
{
"name": "Try All Common Switches",
"description": "An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/133.html",
"external_id": "CAPEC-133"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/912.html",
"external_id": "CWE-912"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The attacker must be able to control the options or switches sent to the target."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. The only requirement is the ability to send requests to the target."
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-133-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Design: Minimize switch and option functionality to only that necessary for correct function of the command.",
"type": "course-of-action",
"id": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--9849d6f7-11c6-49c0-a3b7-a87ba59d92c3",
"source_ref": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-133-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implementation: Remove all debug and testing options from production code.",
"type": "course-of-action",
"id": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--007dc896-33a1-418f-8400-a4ae48f79658",
"source_ref": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c"
},
{
"name": "Email Injection",
"description": "An attacker manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol. Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to \"share this site with a friend\" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an attacker adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an attacker can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/134.html",
"external_id": "CAPEC-134"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/150.html",
"external_id": "CWE-150"
}
],
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.",
"The adversary must have the ability to access the target mail application."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65"
},
{
"name": "Format String Injection",
"description": "An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/135.html",
"external_id": "CAPEC-135"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/134.html",
"external_id": "CWE-134"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/133.html",
"external_id": "CWE-133"
},
{
"source_name": "reference_from_CAPEC",
"description": "Hal Burch, Brendan Saulsbury, FIO30-C. Exclude user input from format strings, 2011--05, CERT",
"url": "https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings",
"external_id": "REF-14"
},
{
"source_name": "reference_from_CAPEC",
"description": "Robert Auger, WASC Threat Classification 2.0, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/Format-String",
"external_id": "REF-15"
},
{
"source_name": "reference_from_CAPEC",
"description": "Fortify, The OWASP Application Security Desk Reference, 2010, The Open Web Application Security Project (OWASP)",
"url": "https://www.owasp.org/index.php/Format_String",
"external_id": "REF-16"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters."
],
"x_capec_skills_required": {
"High": "In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary."
},
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data"
],
"Access_Control": [
"Bypass Protection Mechanism"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks. See also: CVE-2007-2027"
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-135-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Limit the usage of formatting string functions.",
"type": "course-of-action",
"id": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--d7b9dd8b-8e73-4e2b-ba24-d8b7c5a033ec",
"source_ref": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "coa-135-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.",
"type": "course-of-action",
"id": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--dcb94cfe-e24f-4a9f-90fe-c4f2388067b2",
"source_ref": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af"
},
{
"name": "LDAP Injection",
"description": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/136.html",
"external_id": "CAPEC-136"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/77.html",
"external_id": "CWE-77"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/90.html",
"external_id": "CWE-90"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/LDAP-Injection",
"external_id": "REF-17"
}
],
"x_capec_likelihood_of_attack": "High",
"x_capec_typical_severity": "High",
"x_capec_prerequisites": [
"The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed."
],
"x_capec_skills_required": {
"Medium": "The attacker needs to have knowledge of LDAP, especially its query syntax."
},
"x_capec_consequences": {
"Availability": [
"Unreliable Execution"
],
"Integrity": [
"Modify Data"
],
"Confidentiality": [
"Read Data"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Non-Repudiation": [
"Gain Privileges"
],
"Access_Control": [
"Bypass Protection Mechanism"
]
},
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. See also: CVE-2005-2301"
],
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-136-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.",
"type": "course-of-action",
"id": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--9f1eb213-9854-4530-b7ae-cb3659bd69ac",
"source_ref": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-136-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.",
"type": "course-of-action",
"id": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--674db528-648e-458e-81fc-e9ef0a61222e",
"source_ref": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05"
},
{
"name": "Parameter Injection",
"description": "An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/137.html",
"external_id": "CAPEC-137"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/88.html",
"external_id": "CWE-88"
}
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_typical_severity": "Medium",
"x_capec_prerequisites": [
"The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text.",
"The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack. The only requirement is the ability to provide string input to the target."
],
"x_capec_consequences": {
"Integrity": [
"Modify Data (Successful parameter injection attacks mean a compromise to integrity of the application.)"
]
},
"x_capec_abstraction": "Meta",
"x_capec_status": "Stable",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-137-0",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.",
"type": "course-of-action",
"id": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--87d764be-a2f1-4a91-b9fb-61093b531c50",
"source_ref": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "coa-137-1",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"description": "Treat all user input as untrusted data that must be validated before use.",
"type": "course-of-action",
"id": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681"
},
{
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"type": "relationship",
"id": "relationship--f667d453-e763-41ac-ad05-bcda477818fd",
"source_ref": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681",
"relationship_type": "mitigates",
"target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032"
},
{
"name": "Reflection Injection",
"description": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/138.html",
"external_id": "CAPEC-138"
}
],
"x_capec_typical_severity": "Very High",
"x_capec_prerequisites": [
"The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.",
"The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2",
"type": "attack-pattern",
"id": "attack-pattern--e3a32913-a4a6-4a3c-8f3b-a8a6dc16df53"
}
],
"type": "bundle",
"id": "bundle--efb39476-f294-441d-ba2d-2da25ed46d74",
"spec_version": "2.0"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment