Dettaglio CAPEC-22

CAPEC-22

Exploiting Trust in Client
Alto
Alto
Draft
2014-06-23
00h00 +00:00
2019-09-30
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Descrizioni CAPEC

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

Informazioni CAPEC

Prerequisiti

Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side.

Competenze richieste

The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars

Risorse richieste

Ability to communicate synchronously or asynchronously with server

Mitigazioni

Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.
Design: Do not rely on client validation or encoding for security purposes.
Design: Utilize digital signatures to increase authentication assurance.
Design: Utilize two factor authentication to increase authentication assurance.
Implementation: Perform input validation for all remote content.

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-290

 Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-287

 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-20

 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-200

 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-693

 Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Riferimenti

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Description Summary, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Description
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.