CAPEC-208
Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
Média
Draft
2014-06-23
00h00 +00:00
00h00 +00:00
2017-08-04
00h00 +00:00
00h00 +00:00
Alerta para um CAPEC
Fique informado sobre quaisquer alterações para um CAPEC específico.
Descrições CAPEC
An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.
Informações CAPEC
Pré-requisitos
The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations.Recursos Necessários
The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this.Fraquezas Relacionadas
| Nome da Fraqueza | |
|---|---|
CWE-602 |
Client-Side Enforcement of Server-Side Security The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Submissão
| Nome | Organização | Data | Data de lançamento |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modificações
| Nome | Organização | Data | Comentário |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Resources_Required |
