CAPEC-122: Privilege Abuse
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
前提条件
- The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.
- The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.
所需技能
所需资源
- None: No specialized resources are required to execute this type of attack. The ability to access the target is required.
后果影响
影响范围: Integrity
技术影响: Modify Data
影响范围: Confidentiality
技术影响: Read Data
影响范围: Authorization
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Authorization
技术影响: Gain Privileges
影响范围: Access Control Authorization
技术影响: Bypass Protection Mechanism
缓解措施
Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1548 | Abuse Elevation Control Mechanism |