CAPEC Details
Name Retrieve Embedded Sensitive Data
Likelyhood of attack Typical severity
High Very High
Summary An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
Prerequisites In order to feasibly execute this type of attack, some valuable data must be present in client software. Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.
Execution Flow
Step Phase Description Techniques
1 Explore [Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.
  • Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
  • Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
2 Experiment [Apply mining techniques] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to extract the information of interest.
  • API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
  • Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
  • Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
  • Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
Related Weaknesses
CWE ID Description
CWE-226 Sensitive Information in Resource Not Removed Before Reuse
CWE-311 Missing Encryption of Sensitive Data
CWE-312 Cleartext Storage of Sensitive Information
CWE-314 Cleartext Storage in the Registry
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-318 Cleartext Storage of Sensitive Information in Executable
CWE-525 Use of Web Browser Cache Containing Sensitive Information
CWE-1239 Improper Zeroization of Hardware Register
CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
CWE-1330 Remanent Data Readable after Memory Erase
Related CAPECS
CAPEC ID Description
CAPEC-167 An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution.
Taxonomy: ATTACK
Entry ID Entry Name
1552.004 Unsecured Credentials:Private Keys