CAPEC-554: Functionality Bypass

Description
An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.
Extended Description

A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.

Severity :

High

Possibility :

Medium

Type :

Meta
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-179: Calling Micro-Services Directly Calling Micro-Services Directly CAPEC-464: Evercookie Evercookie CAPEC-465: Transparent Proxy Abuse Transparent Proxy Abuse
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-424: Improper Protection of Alternate Path

CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface

Visit http://capec.mitre.org/ for more details.