CAPEC-212: Functionality Misuse
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.
前提条件
- The adversary has the capability to interact with the application directly.The target system does not adequately implement safeguards to prevent misuse of authorized actions/processes.
所需技能
后果影响
影响范围: Confidentiality
技术影响: Gain Privileges
说明: A successful attack of this kind can compromise the confidentiality of an authorized user's credentials.
影响范围: Confidentiality Integrity Availability
技术影响: Other
说明: Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.
缓解措施
Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.
When implementing security features, consider how they can be misused and compromised.