CAPEC-182: Flash Injection
Description
Extended Description
Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.
Severity :
Medium
Possibility :
High
Type :
Standard
Relationships with other CAPECs
This table shows the other attack patterns and high level categories that are related to this attack pattern.
Prerequisites
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link.
Skills required
This table shows the other attack patterns and high level categories that are related to this attack pattern.
- Medium The attacker needs to have knowledge of Flash, especially how to insert content the executes commands.
Taxonomy mappings
Mappings to ATT&CK, OWASP and other frameworks.
Resources required
None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content.
Related CWE
A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.
Visit http://capec.mitre.org/ for more details.