CAPEC-176: Configuration/Environment Manipulation

Description

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

Extended Description

These 'FlashVars' are most often passed to the Flash file via URL arguments or from the Object or Embed tag within the embedding HTML document. If these FlashVars are not properly sanitized, an adversary may be able to embed malicious content (such as scripts) into the HTML document.

The injected parameters can also provide the adversary control over other objects within the Flash file as well as full control over the parent document's DOM model. As such, this is a form of HTTP parameter injection, but the abilities granted to the Flash document (such as access to a page's document model, including associated cookies) make this attack more flexible. Flash Parameter Injection attacks can also preface further attacks such as various forms of Cross-Site Scripting (XSS) attacks in addition to Session Hijacking attacks.

Severity :

Medium

Possibility :

Type :

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-75: Manipulating Writeable Configuration Files Manipulating Writeable Configuration Files CAPEC-203: Manipulate Registry Information Manipulate Registry Information CAPEC-271: Schema Poisoning Schema Poisoning CAPEC-536: Data Injected During Configuration Data Injected During Configuration CAPEC-578: Disable Security Software Disable Security Software

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The target application must consult external files or configuration controls to control its execution. All but the very simplest applications meet this requirement.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

OWASP Attacks | Setting Manipulation

Resources required

The attacker must have the access necessary to affect the files or other environment items the targeted application uses for its operations.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-15: External Control of System or Configuration Setting

CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection

CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks

CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

CWE-1328: Security Version Number Mutable to Older Versions

Visit http://capec.mitre.org/ for more details.