English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-22

Exploiting Trust in Client
HIGH
HIGH
Draft
2014-06-23 00:00 +00:00
2019-09-30 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

Informations

Prerequisites

Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side.

Skills Required

The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars

Resources Required

Ability to communicate synchronously or asynchronously with server

Mitigations

Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.
Design: Do not rely on client validation or encoding for security purposes.
Design: Utilize digital signatures to increase authentication assurance.
Design: Utilize two factor authentication to increase authentication assurance.
Implementation: Perform input validation for all remote content.

Related Weaknesses

CWE-ID Weakness Name
CWE-290 Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-693 Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Description Summary, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Description

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.