CAPEC-22: Exploiting Trust in Client

Description
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
Extended Description

By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.

Severity :

High

Possibility :

High

Type :

Meta
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Ability to communicate synchronously or asynchronously with server

Related CWE

Visit http://capec.mitre.org/ for more details.