CAPEC-176: Configuration/Environment Manipulation

Description
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.
Extended Description

These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document.

The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.

Severity :

Medium

Possibility :

Type :

Meta
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 23, 2024 16:41