CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

Standard Draft 严重程度: High 攻击可能性: High

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

执行流程

步骤 1 Explore

[Survey] The attacker surveys the target application, possibly as a valid and authenticated user

技术:
  • Spidering web sites for all available links
  • Brute force guessing of resource names
  • Brute force guessing of user names / credentials
  • Brute force guessing of function names / actions
步骤 2 Explore

[Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

技术:
  • Use the web inventory of all forms and inputs and apply attack data to those inputs.
  • Use a packet sniffer to capture and record network traffic
  • Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.
步骤 3 Experiment

[Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

技术:
  • Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)

前提条件

  • The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.
  • The various resources, or individual URLs, must be somehow discoverable by the attacker
  • The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.

所需技能

Low In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.

所需资源

  • None: No specialized resources are required to execute this type of attack.

后果影响

影响范围: Confidentiality Access Control Authorization

技术影响: Gain Privileges

分类映射

分类名称 条目ID 条目名称
ATTACK 1574.010 Hijack Execution Flow: ServicesFile Permissions Weakness
关键信息

CAPEC ID: CAPEC-1

抽象级别: Standard

状态: Draft

典型严重程度: High

攻击可能性: High

相关攻击模式
ChildOf CAPEC-122

Privilege Abuse

Meta
CanPrecede CAPEC-17

Using Malicious Files

Standard
相关CWE弱点
CWE-276 CWE-285 CWE-434 CWE-693 CWE-732 CWE-1191 CWE-1193 CWE-1220 CWE-1297 CWE-1311 CWE-1314 CWE-1315 CWE-1318 CWE-1320 CWE-1321 CWE-1327
返回列表