CAPEC-114: Authentication Abuse

Authentication Abuse

状态:Draft

Typical_Severify: Medium

攻击可能性:None

描述

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.

相关攻击模式

ParentOf: CAPEC-629 | Unauthorized Use of Device Resources

ParentOf: CAPEC-90 | Reflection Attack in Authentication Protocol

前置条件

An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way.

所需资源

A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism.

实例

相关CWE

287 | 认证机制不恰当

内容历史记录

提交

2014-06-23 | CAPEC Content Team | The MITRE Corporation

修改

2015-11-09 | CAPEC Content Team | The MITRE Corporation

Updated Related_Attack_Patterns