An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.
[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
[Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
[Use Intercepted Data Maliciously] The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Weakness Name | |
---|---|
Channel Accessible by Non-Endpoint The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
|
Authentication Bypass by Spoofing This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
|
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created The product modifies the SSL context after connection creation has begun. |
|
Improper Authentication When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
|
Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
Name | Organization | Date | Date Release |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation |
Name | Organization | Date | Comment |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation | Updated Examples-Instances, Related_Vulnerabilities | |
CAPEC Content Team | The MITRE Corporation | Updated References | |
CAPEC Content Team | The MITRE Corporation | Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings | |
CAPEC Content Team | The MITRE Corporation | Updated @Abstraction, Description, Related_Attack_Patterns | |
CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Execution_Flow, Taxonomy_Mappings | |
CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns, Taxonomy_Mappings | |
CAPEC Content Team | The MITRE Corporation | Updated @Name, @Status, Alternate_Terms, Description, Example_Instances, Execution_Flow, Mitigations, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings | |
CAPEC Content Team | The MITRE Corporation | Updated Description, Execution_Flow, Extended_Description | |
CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |