CAPEC-121: Exploit Test APIs

Exploit Test APIs

状态:Draft

Typical_Severify: High

攻击可能性:Low

描述

An attacker exploits a sample, demonstration, or test API that is insecure by default and should not be resident on production systems. Some applications include APIs that are intended to allow an administrator to test and refine their domain. These APIs should usually be disabled once a system enters a production environment. Testing APIs may expose a great deal of diagnostic information intended to aid an administrator, but which can also be used by an attacker to further refine their attack. Moreover, testing APIs may not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may have many flaws and vulnerabilities that would allow an attacker to severely disrupt a target.

相关攻击模式

ChildOf: CAPEC-113 |API Manipulation

Execution Flow Attack Setp

Setp 1 Explore

[Determine Vulnerable API] An adversary explores a target system for sample or test APIs that have not been disabled by a system administrator and which may be exploitable by the adversary.

Setp 2 Exploit

[Leverage Test API to Execute Attacks] Once an adversary has discovered a system with a sample or test API, the API is leveraged to exploit the system and/or conduct various attacks.

前置条件

The target must have installed test APIs and failed to secure or remove them when brought into a production environment.

所需资源

For some APIs, the attacker will need that appropriate client application that interfaces with the API. Other APIs can be executed using simple tools, such as web browsers or console windows. In some cases, an attacker may need to be able to authenticate to the target before it can access the vulnerable APIs.

缓解措施

Ensure that production systems to not contain sample or test APIs and that these APIs are only used in development environments.

实例

相关CWE

489 | 遗留的调试代码

内容历史记录

提交

2014-06-23 | CAPEC Content Team | The MITRE Corporation

修改

2018-07-31 | CAPEC Content Team | The MITRE Corporation

Updated Activation_Zone, Attack_Phases, Description, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit

2019-04-04 | CAPEC Content Team | The MITRE Corporation

Updated Related_Weaknesses