CAPEC-383
Harvesting Information via API Event Monitoring
Bas
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2022-09-29
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Descriptions du CAPEC
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
Informations du CAPEC
Conditions préalables
The target software is utilizing application framework APIsAtténuations
Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
CWE-311 |
Missing Encryption of Sensitive Data The product does not encrypt sensitive or critical information before storage or transmission. |
CWE-319 |
Cleartext Transmission of Sensitive Information The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
CWE-419 |
Unprotected Primary Channel The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel. |
CWE-602 |
Client-Side Enforcement of Server-Side Security The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Références
REF-327
So Many Ways [...]: Exploiting Facebook and YoVilleTom Stracener, Sean Barnum.
Soumission
| Nom | Organisation | Date | Date de publication |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Solutions_and_Mitigations | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Resources_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Description | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns, Taxonomy_Mappings |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.