CAPEC-37: Retrieve Embedded Sensitive Data

Description

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Extended Description

Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding.

A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.

This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.

This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise aclient agent (e.g., web browser)by sending malicious content in HTTP responses from back-end HTTP infrastructure.

HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.

Severity :

Very High

Possibility :

High

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-65: Sniff Application Code Sniff Application Code CAPEC-167: White Box Reverse Engineering White Box Reverse Engineering CAPEC-675: Retrieve Data from Decommissioned Devices Retrieve Data from Decommissioned Devices

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

In order to feasibly execute this type of attack, some valuable data must be present in client software.

Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Data from Local System ATTACK | Unsecured Credentials: Private Keys

Resources required

The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

CWE-311: Missing Encryption of Sensitive Data

CWE-312: Cleartext Storage of Sensitive Information

CWE-314: Cleartext Storage in the Registry

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

CWE-318: Cleartext Storage of Sensitive Information in Executable

CWE-525: Use of Web Browser Cache Containing Sensitive Information

CWE-1239: Improper Zeroization of Hardware Register

CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition

CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component

CWE-1330: Remanent Data Readable after Memory Erase

Visit http://capec.mitre.org/ for more details.