CAPEC-113: API Manipulation

API Manipulation

状态:Stable

Typical_Severify: Medium

攻击可能性:Medium

描述

An adversary manipulates the use or processing of an Application Programming Interface (API) resulting in an adverse impact upon the security of the system implementing the API. This can allow the adversary to execute functionality not intended by the API implementation, possibly compromising the system which integrates the API. API manipulation can take on a number of forms including forcing the unexpected use of an API, or the use of an API in an unintended way. For example, an adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.

相关攻击模式

ParentOf: CAPEC-121 | Exploit Test APIs

ParentOf: CAPEC-133 | Try All Common Switches

ParentOf: CAPEC-160 | Exploit Script-Based APIs

ParentOf: CAPEC-36 | Using Unpublished APIs

前置条件

The target system must expose API functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.

所需资源

The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.

实例

相关CWE

227 | 履行API合约不恰当(API滥用)

内容历史记录

提交

2014-06-23 | CAPEC Content Team | The MITRE Corporation

修改

2015-12-07 | CAPEC Content Team | The MITRE Corporation

Updated Attack_Prerequisites, Description Summary, Related_Attack_Patterns

2017-05-01 | CAPEC Content Team | The MITRE Corporation

Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Typical_Likelihood_of_Exploit