CAPEC Details
Name Web Services Protocol Manipulation
Likelyhood of attack Typical severity
High Very High
Summary An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash.
Prerequisites The targeted application or service must rely on web service protocols in such a way that malicious manipulation of them can alter functionality.
Solutions Design: Range, size and value and consistency verification for any arguments supplied to applications and services from external sources and devise appropriate error response. Design: Ensure that function calls that should not be called by an unprivileged user are not accessible to them.
Related Weaknesses
CWE ID Description
CWE-707 Improper Neutralization
Related CAPECS
CAPEC ID Description
CAPEC-272 An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.