CAPEC-467 Détail

CAPEC-467

Nom

Cross Site Identification

Gravité typique

Bas

Statut

Draft

Publié

2014-06-23
00h00 +00:00

Modifié

2022-02-22
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

Informations du CAPEC

Conditions préalables

The victim has an active session with the social networking site.

Compétences requises

An attacker should be able to create a payload and deliver it to the victim's browser.
An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker.

Atténuations

Usage: Users should always explicitly log out from the social networking sites when done using them.
Usage: Users should not open other tabs in the browser when using a social networking site.

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-352	Cross-Site Request Forgery (CSRF) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-359	Exposure of Private Personal Information to an Unauthorized Actor The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Références

REF-404

Cross Site Identification - or - How your social network might expose you when you least expect it
Ronen.
http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Nom	Organisation	Date	Commentaire
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description, Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Description, Example_Instances, Mitigations
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description

Détail du CAPEC-467