Scope | Impact | Likelihood |
---|---|---|
Confidentiality Integrity Availability Access Control Other | Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context Note: The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access. |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-121 | Exploit Non-Production Interfaces An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable. |
CAPEC-661 | Root/Jailbreak Detection Evasion via Debugging An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more. |
Name | Organization | Date | Date release | Version |
---|---|---|---|---|
7 Pernicious Kingdoms | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
KDM Analytics | added/updated white box definitions | ||
CWE Content Team | MITRE | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Description, Modes_of_Introduction, Other_Notes, Time_of_Introduction | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, White_Box_Definitions | |
CWE Content Team | MITRE | updated Weakness_Ordinalities | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Description, Name, References, Relationships | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Alternate_Terms | |
CWE Content Team | MITRE | updated Applicable_Platforms, Description, Relationships | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes |