Name |
Harvesting Information via API Event Monitoring |
|
Likelyhood of attack |
Typical severity |
High |
Low |
|
Summary |
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script. |
Prerequisites |
The target software is utilizing application framework APIs |
Solutions | Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-311 |
Missing Encryption of Sensitive Data |
CWE-319 |
Cleartext Transmission of Sensitive Information |
CWE-419 |
Unprotected Primary Channel |
CWE-602 |
Client-Side Enforcement of Server-Side Security |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-407 |
An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. |
|