| Name |
Utilizing REST's Trust in the System Resource to Obtain Sensitive Data |
|
| Likelyhood of attack |
Typical severity |
| Medium |
Very High |
|
| Summary |
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. |
| Prerequisites |
Opportunity to intercept must exist beyond the point where SSL is terminated. The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Find a REST-style application that uses SSL] The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate. |
|
| 2 |
Experiment |
[Insert a listener to sniff client-server communication] The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information. |
- Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated
|
| 3 |
Exploit |
[Gather information passed in the clear] If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user |
|
|
| Solutions | Implementation: Implement message level security such as HMAC in the HTTP communication Design: Utilize defense in depth, do not rely on a single security mechanism like SSL Design: Enforce principle of least privilege |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-287 |
Improper Authentication |
| CWE-300 |
Channel Accessible by Non-Endpoint |
| CWE-693 |
Protection Mechanism Failure |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-157 |
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves. |
|