CAPEC-207

Removing Important Client Functionality
MEDIUM
HIGH
Draft
2014-06-23 00:00 +00:00
2023-01-24 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.

Informations

Execution Flow

1) Explore

[Probing] The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.

Technique
  • The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
  • The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.

2) Experiment

[Determine which functionality to disable or remove] The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.

Technique
  • The adversary reverse engineers the client-side code to determine which functionality to disable or remove.

3) Exploit

[Disable or remove the critical functionality from the client code] Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.

Technique
  • The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.

Prerequisites

The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.

Skills Required

To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.
The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools.

Resources Required

The adversary must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.

Mitigations

Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.
Design: Ship client-side application with integrity checks (code signing) when possible.
Design: Use obfuscation and other techniques to prevent reverse engineering the client code.

Related Weaknesses

CWE-ID Weakness Name
CWE-602 Client-Side Enforcement of Server-Side Security
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

References

REF-75

Wikipedia
http://en.wikipedia.org/wiki/Greasemonkey

REF-76

Firebug
http://getfirebug.com/

REF-77

Mozilla Firefox Add-ons
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Vulnerabilities
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Consequences, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Description, Example_Instances, Execution_Flow, Extended_Description, Resources_Required, Skills_Required
CAPEC Content Team The MITRE Corporation 2023-01-24 +00:00 Updated Example_Instances
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.