Charissa Miller
73 lines
4.6 KiB
JSON
73 lines
4.6 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--1a447255-6d94-4441-87d7-80bf4872fb88",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"x_mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"x_mitre_domains": [
|
|
"mobile-attack"
|
|
],
|
|
"x_mitre_contributors": [
|
|
"Leo Zhang, Trend Micro",
|
|
"Steven Du, Trend Micro"
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
|
|
"created": "2022-04-01T15:15:35.640Z",
|
|
"x_mitre_version": "1.0",
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"external_id": "T1635.001",
|
|
"url": "https://attack.mitre.org/techniques/T1635/001"
|
|
},
|
|
{
|
|
"source_name": "Android-AppLinks",
|
|
"url": "https://developer.android.com/training/app-links/index.html",
|
|
"description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016."
|
|
},
|
|
{
|
|
"source_name": "Trend Micro iOS URL Hijacking",
|
|
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
|
|
"description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
|
|
},
|
|
{
|
|
"source_name": "IETF-PKCE",
|
|
"url": "https://tools.ietf.org/html/rfc7636",
|
|
"description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
|
|
},
|
|
{
|
|
"source_name": "IETF-OAuthNativeApps",
|
|
"url": "https://tools.ietf.org/html/rfc8252",
|
|
"description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018."
|
|
}
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"revoked": false,
|
|
"description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
|
|
"modified": "2022-04-06T12:44:03.799Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"name": "URI Hijacking",
|
|
"x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
|
|
"kill_chain_phases": [
|
|
{
|
|
"phase_name": "credential-access",
|
|
"kill_chain_name": "mitre-mobile-attack"
|
|
}
|
|
],
|
|
"x_mitre_is_subtechnique": true,
|
|
"x_mitre_tactic_type": [
|
|
"Post-Adversary Device Access"
|
|
],
|
|
"x_mitre_attack_spec_version": "2.1.0",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
|
|
}
|
|
]
|
|
} |