CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy

Standard Draft 严重程度: Medium

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.

前提条件

The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL

所需技能

Low Ability to intercept and modify requests / responses

Medium Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser

Medium Solid understanding of the HTTP protocol

后果影响

影响范围: Confidentiality

技术影响: Read Data

影响范围: Authorization

技术影响: Execute Unauthorized Commands

缓解措施

Design: Tunnel communications through a secure proxy

Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)

关键信息

CAPEC ID: CAPEC-466

抽象级别: Standard

状态: Draft

典型严重程度: Medium

CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy

攻击模式描述

前提条件

所需技能

后果影响

缓解措施

关键信息

相关攻击模式

相关CWE弱点

CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy

攻击模式描述

前提条件

所需技能

后果影响

缓解措施

关键信息

相关攻击模式

ChildOf CAPEC-94

相关CWE弱点