CAPEC-268: Audit Log Manipulation

Description
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
Extended Description

Many client applications use specific query templates when interacting with a server and often automatically fill in specific fields or attributes. If the server does not verify that the query matches one of the expected templates, an adversary who is allowed to send normal queries could modify their query to try to return additional information. The adversary may not know the names of fields to request or how other modifications will affect the server response, but by attempting multiple plausible variants, they might eventually trigger a server response that divulges sensitive information. Other possible outcomes include server crashes and resource consumption if the unexpected queries cause the server to enter an unstable state or perform excessive computation.

Severity :

Possibility :

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-81: Web Server Logs Tampering Web Server Logs Tampering CAPEC-93: Log Injection-Tampering-Forging Log Injection-Tampering-Forging CAPEC-161: Infrastructure Manipulation Infrastructure Manipulation
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The target host is logging the action and data of the user.
  • The target host insufficiently protects access to the logs or logging mechanisms.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Indicator Removal on Host ATTACK | Impair Defenses: Disable Windows Event Logging ATTACK | Impair Defenses: Impair Command History Logging ATTACK | Impair Defenses: Disable Cloud Logs OWASP Attacks | Log Injection
Resources required

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-117: Improper Output Neutralization for Logs

Visit http://capec.mitre.org/ for more details.