CAPEC-278

Web Services Protocol Manipulation
Draft
2014-06-23
00h00 +00:00
2019-04-04
00h00 +00:00
CAPEC Mitre.org
Alerta para un CAPEC
Manténgase informado sobre cualquier cambio en un CAPEC específico.
Gestionar notificaciones

Descripciones CAPEC

An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash.

Informaciones CAPEC

Prerrequisitos

The targeted application or service must rely on web service protocols in such a way that malicious manipulation of them can alter functionality.

Recursos requeridos

The attacker must be able to manipulate the communications to the targeted application or service.

Mitigaciones

Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response.
Design: Ensure that function calls that should not be called by an unprivileged user are not accessible to them.

Debilidades relacionadas

CWE-ID Nombre de la debilidad

CWE-707

 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Envío

Nombre Organización Fecha Fecha de lanzamiento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificaciones

Nombre Organización Fecha Comentario
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Prerequisites, Description Summary, Resources_Required, Solutions_and_Mitigations
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.