CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
执行流程
步骤 1 Explore
[Find a REST-style application that uses SSL] The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.
步骤 2 Experiment
[Insert a listener to sniff client-server communication] The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.
- Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated
步骤 3 Exploit
[Gather information passed in the clear] If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user
前提条件
- Opportunity to intercept must exist beyond the point where SSL is terminated.
- The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path.
所需技能
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Implementation: Implement message level security such as HMAC in the HTTP communication
Design: Utilize defense in depth, do not rely on a single security mechanism like SSL
Design: Enforce principle of least privilege
示例实例
The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the adversary can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1040 | Network Sniffing |