CAPEC-150: Collect Data from Common Resource Locations

Description

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

Extended Description

Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.

Severity :

Medium

Possibility :

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-116: Excavation Excavation CAPEC-143: Detect Unpublicized Web Pages Detect Unpublicized Web Pages CAPEC-144: Detect Unpublicized Web Services Detect Unpublicized Web Services CAPEC-155: Screen Temporary Files for Sensitive Information Screen Temporary Files for Sensitive Information CAPEC-406: Dumpster Diving Dumpster Diving CAPEC-637: Collect Data from Clipboard Collect Data from Clipboard CAPEC-647: Collect Data from Registries Collect Data from Registries CAPEC-648: Collect Data from Screen Capture Collect Data from Screen Capture

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-552: Files or Directories Accessible to External Parties

CWE-1239: Improper Zeroization of Hardware Register

CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition

CWE-1323: Improper Management of Sensitive Trace Data

CWE-1330: Remanent Data Readable after Memory Erase

Visit http://capec.mitre.org/ for more details.