Survey: The attacker surveys the target application, possibly as a valid and authenticated user
| Techniques |
|---|
| Spidering web sites for all available links |
| Brute force guessing of resource names |
| Brute force guessing of user names / credentials |
| Brute force guessing of function names / actions |
Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions
| Techniques |
|---|
| Use the web inventory of all forms and inputs and apply attack data to those inputs. |
| Use a packet sniffer to capture and record network traffic |
| Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment. |
Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.
| Techniques |
|---|
| Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters) |
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
| Techniques |
|---|
| Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found. |
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.
Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
| Techniques |
|---|
| Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible. |
Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.
Determine applicability: The adversary determines whether server side includes are enabled on the target web server.
| Techniques |
|---|
| Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled. |
| Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it. |
Find Injection Point: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. |
Inject SSI: Using the found injection point, the adversary sends arbitrary code to be inlcuded by the application on the server side. They may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the adversary.
Detect Unprotected Session Token Transfer: The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.
| Techniques |
|---|
| The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens. |
Capture session token: The attacker uses sniffing tools to capture a session token from traffic.
Insert captured session token: The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.
Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
Craft a clickjacking page: The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page
| Techniques |
|---|
| The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page |
| The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page |
| The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page |
| The adversary leveraged cross-frame scripting to craft a malicious clickjacking page |
Adversary lures victim to clickjacking page: Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.
| Techniques |
|---|
| Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site. |
| Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim. |
| Lure the victim to the malicious site through a cross-site scripting attack. |
Trick victim into interacting with the clickjacking page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.
| Techniques |
|---|
| Hide action controls over very commonly used functionality. |
| Hide action controls over very psychologically tempting content. |
Find systems susceptible to the attack: Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.
| Techniques |
|---|
| Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place. |
Find the insertion point for the payload: The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.
| Techniques |
|---|
| Finding weaknesses in functionality used by both privileged and unprivileged users. |
Craft and inject the payload: Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.
| Techniques |
|---|
| The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim. |
| Leverage cross-site scripting vulnerability to inject payload. |
Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.
| Techniques |
|---|
| Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer. |
Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.
Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.
| Techniques |
|---|
| Continue the monitoring of HTTP traffic. |
| \n |
| Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request. |
Perform HTTP Request Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
| Techniques |
|---|
| Leverage techniques identified in the Experiment Phase. |
Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has an active session
| Techniques |
|---|
| An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response. |
Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.
| Techniques |
|---|
| The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request. |
Create a malicious script that pings the web server with HTTP TRACE request: The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.
| Techniques |
|---|
| The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response. |
Execute malicious HTTP Trace launching script: The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script
Intercept HTTP TRACE response: The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.
Probe for SQL Injection vulnerability: The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.
Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive: The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.
Inject malicious data in the database: Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument
Trigger command line execution with injected arguments: The attacker causes execution of command line functionality which leverages previously injected database content as arguments.
Determine Persistence Framework Used: An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer.
| Techniques |
|---|
| An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there. |
Probe for ORM Injection vulnerabilities: The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content.
Perform SQL Injection through the generated data access layer: An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.
| Techniques |
|---|
| An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application. |
Footprint file input vectors: Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.
| Techniques |
|---|
| Attacker manually crawls application to identify file inputs |
| Attacker uses an automated tool to crawl application identify file inputs |
| Attacker manually assesses strength of access control protecting native application files from user control |
| Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests |
File misclassification shotgunning: An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.
| Techniques |
|---|
| Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server. |
| Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server. |
File misclassification sniping: Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.
| Techniques |
|---|
| Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server. |
| Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server. |
Disclose information: The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).
| Techniques |
|---|
| Manipulate the file names that are explicitly sent to the server. |
| Manipulate the MIME sent in order to confuse the web server. |
Detect Incorrect SOAP Parameter Handling: The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.
| Techniques |
|---|
| The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior. |
Probe for SQL Injection vulnerability: The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query.
Inject SQL via SOAP Parameters: The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.
| Techniques |
|---|
| An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider. |
Understand How to Request JSON Responses from the Target System: An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.
| Techniques |
|---|
| An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit. |
[Craft a malicious website]
Launch JSON hijack: An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.
| Techniques |
|---|
| An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser. |
Determine secret testing procedure: Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.
| Techniques |
|---|
| Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded. |
Reduce search space: Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.
| Techniques |
|---|
| If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.) |
| If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space. |
| If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas. |
| Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret. |
Expand victory conditions: It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.
Gather information so attack can be performed independently.: If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).
Determine Nature of Messages: Determine the nature of messages being transported as well as the identifiers to be used as part of the attack
Authenticate: If required, authenticate to the distribution channel
Identify Known Client Identifiers: If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel.
Change Message Identifier: Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.
Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
| Manually inspect the application to find entry points. |
Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.
| Techniques |
|---|
| Try to use double-encoding to bypass validation routines. |
Determine Vulnerable Interface: An adversary explores a target system for sample or test interfaces that have not been disabled by a system administrator and which may be exploitable by the adversary.
| Techniques |
|---|
| If needed, the adversary explores an organization's network to determine if any specific systems of interest exist. |
Leverage Test Interface to Execute Attacks: Once an adversary has discovered a system with a non-production interface, the interface is leveraged to exploit the system and/or conduct various attacks.
| Techniques |
|---|
| The adversary can leverage the sample or test interface to conduct several types of attacks such as Adversary-in-the-Middle attacks (CAPEC-94), keylogging, Cross Site Scripting (XSS), hardware manipulation attacks, and more. |
Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs
Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
Directory Discovery: Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.
| Techniques |
|---|
| Send requests to the web server for common directory names |
| If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers. |
| Search for uncommon or potentially user created directories that may be present. |
Iteratively explore directory/file structures: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods
| Techniques |
|---|
| Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes. |
| Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'. |
| Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access. |
| Sequentially request a list of common base files to each directory discovered. |
| Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a \"/\" request |
Read directories or files which are not intended for public viewing.: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods
| Techniques |
|---|
| Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a \"/\" request |
| Try other known exploits to elevate privileges sufficient to bypass protected directories. |
| List the files in the directory by issuing a request with the URL ending in a \"/\" slash. |
| Access the files via direct URL and capture contents. |
| Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access. |
| Sequentially request a list of common base files to each directory discovered. |
Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.
Find user-controlled environment variables: Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.
| Techniques |
|---|
| Alter known environment variables such as \"$PATH\", \"$HOSTNAME\", or \"LD_LIBRARY_PATH\" and see if application behavior changes. |
Manipulate user-controlled environment variables: The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.
Identify Target: Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.
| Techniques |
|---|
| The adversary writes to files in different directories to check whether the application has sufficient checking before file operations. |
| The adversary creates symlinks to files in different directories. |
Try to create symlinks to different files: The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.
| Techniques |
|---|
| The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application. |
| The adversary may need a little guesswork on the filenames on which the target application would operate. |
| The adversary tries to create symlinks to the various filenames. |
Target application operates on created symlinks to sensitive files: The adversary is able to create symlinks to sensitive files while the target application is operating on the file.
| Techniques |
|---|
| Create the symlink to the sensitive file such as configuration files, etc. |
Identify application: Discover an application of interest by exploring service registry listings or by connecting on a known port or some similar means.
| Techniques |
|---|
| Search via internet for known, published applications that allow option switches. |
| Use automated tools to scan known ports to identify applications that might be accessible |
Authenticate to application: Authenticate to the application, if required, in order to explore it.
| Techniques |
|---|
| Use published credentials to access system. |
| Find unpublished credentails to access service. |
| Use other attack pattern or weakness to bypass authentication. |
Try all common switches: Using manual or automated means, attempt to run the application with many different known common switches. Observe the output to see if any switches seemed to put the application in a non production mode that might give more information.
| Techniques |
|---|
| Manually execute the application with switches such as --debug, --test, --development, --verbose, etc. |
| Use automated tools to run the application with common switches and observe the output |
Use sensitive processing or configuration information: Once extra information is observed from an application through the use of a common switch, this information is used to aid other attacks on the application
| Techniques |
|---|
| Using application information, formulate an attack on the application |
Survey application: The adversary takes an inventory of the entry points of the application.
| Techniques |
|---|
| Spider web sites for all available links |
| List parameters, external variables, configuration files variables, etc. that are possibly used by the application. |
Determine user-controllable input susceptible to format string injection: Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.
| Techniques |
|---|
| Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters. |
Try to exploit the Format String Injection vulnerability: After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.
| Techniques |
|---|
| Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc. |
Survey application: The attacker takes an inventory of the entry points of the application.
| Techniques |
|---|
| Spider web sites for all available links |
| Sniff network communications with application using a utility such as WireShark. |
Determine user-controllable input susceptible to LDAP injection: For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header. |
| Use modified client (modified by reverse engineering) to inject input. |
Try to exploit the LDAP injection vulnerability: After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP.
| Techniques |
|---|
| Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header. |
Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.
| Techniques |
|---|
| Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. |
| Use a browser to manually explore a website and analyze how it is constructed. Many browser plug-ins are available to facilitate the analysis or automate the URL discovery. |
Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses.
| Techniques |
|---|
| Provide \"../\" or \"..\\\" at the beginning of any filename to traverse to the parent directory |
| Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as \"../\". |
| Use a proxy tool to record results of manual input of relative path traversal probes in known URLs. |
Access, modify, or execute arbitrary files.: An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.
| Techniques |
|---|
| Manipulate file and its path by injecting relative path sequences (e.g. \"../\"). |
| Download files, modify files, or try to execute shell commands (with binary files). |
Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.
Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.
| Techniques |
|---|
| Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors. |
| Examine APIs of the client-side application and look for areas where a buffer overflow might be possible. |
Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser. |
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.
| Techniques |
|---|
| If the adversary is targeting a local client-side application, they just need to use the service themselves. |
| If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser. |
Identify and explore caches: Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.
| Techniques |
|---|
| Run tools that check available entries in the cache. |
Cause specific data to be cached: An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.
| Techniques |
|---|
| Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID). |
Redirect users to malicious website: As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.
| Techniques |
|---|
| Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID). |
| Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties. |
Explore resolver caches: Check DNS caches on local DNS server and client's browser with DNS cache enabled.
| Techniques |
|---|
| Run tools that check the resolver cache in the memory to see if it contains a target DNS entry. |
| Figure out if the client's browser has DNS cache enabled. |
Attempt sending crafted records to DNS cache: A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.
| Techniques |
|---|
| Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID. |
| If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction |
| Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address. |
Redirect users to malicious website: As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.
| Techniques |
|---|
| Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion. |
| Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties. |
Find target web site: An adversary finds a target web site that they think may have unpublicized web pages
Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree
| Techniques |
|---|
| Use Dirbuster to brute force directories and file names to find unpublicized pages |
| Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked |
Try to find weaknesses or information: The adversary will try to find weaknesses or information on the unpublicized pages that the targeted site did not intend to be public
| Techniques |
|---|
| Manually analyze files or pages for information that could be useful in a further attack |
| Use a static analysis tool to find weaknesses in unpublished web pages |
Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack
Find target web site: An adversary finds a target web site that they think may have unpublicized web services
Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree
| Techniques |
|---|
| Use Dirbuster to brute force directories and file names to find unpublicized web services |
| Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked |
Try to find weaknesses or information: The adversary will try to find weaknesses in the unpublicized services that the targeted site did not intend to be public
| Techniques |
|---|
| Use Nikto to look for web service vulnerabilities |
Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack
Determine if XML schema is local or remote: Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.
Gain access to XML schema: The adversary gains access to the XML schema so that they can modify the contents.
| Techniques |
|---|
| For a local scenario, the adversary needs access to the machine that the schema is located on and needs to gain permissions to alter the contents of the file. |
| For a remote scenario, the adversary needs to be able to sniff HTTP traffic that contains an XML schema. |
Poison XML schema: Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.
| Techniques |
|---|
| Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the adversary removes this attribute from the schema then documents created using the new grammar may lack this field, which may cause the processing application to enter an unexpected state or record incomplete data. |
| Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field. |
| Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B). |
Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs to process XML requests. |
| Use a browser to manually explore the website and analyze how the application processes XML requests. |
Launch a resource depletion attack: The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.
| Techniques |
|---|
| Send a large number of crafted small XML messages to the target URL. |
Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.
| Techniques |
|---|
| Port mapping using network connection-based software (e.g., nmap, nessus, etc.) |
| Port mapping by exploring the operating system (netstat, sockstat, etc.) |
| TCP/IP Fingerprinting |
| Induce errors to find informative error messages |
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
| Techniques |
|---|
| Spidering web sites for all available links |
| Inventory all application inputs |
Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.
| Techniques |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) |
| Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) |
| Enter command delimiters directly in input fields. |
Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.
Look for temporary files in target application: An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.
Attempt to read temporary files: An adversary will attempt to read any temporary files they may have discovered through normal means.
| Techniques |
|---|
| Attempt to get the file by querying the file path to a web server |
| Using a remote shell into an application, read temporary files and send out information remotely if necessary |
| Recover temporary information from a user's browser cache |
Use function weaknesses to gain access to temporary files: If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.
| Techniques |
|---|
| Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read. |
| Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents. |
Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.
| Techniques |
|---|
| Look for application documentation that might describe a communication mechanism used by a target. |
Position In Between Targets: The adversary positions themselves somewhere in the middle of the two components. If the communication is encrypted, the adversary will need to act as a proxy and route traffic between the components, exploiting a flaw in the encryption mechanism. Otherwise, the adversary can just observe the communication at either end.
| Techniques |
|---|
| Use Wireshark or some other packet capturing tool to capture traffic on a network. |
| Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client. |
| Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL. |
Listen to Communication: The adversary observes communication, but does not alter or block it. The adversary gains access to sensitive information and can potentially utilize this information in a malicious way.
Identify Target: The adversary identifies the target application and determines what libraries are being used.
| Techniques |
|---|
| Find public source code and identify library dependencies. |
| Gain access to the system hosting the application and look for libraries in common locations. |
Deploy Malicious Libraries: The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.
Redirect Library Calls to Malicious Library: Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.
| Techniques |
|---|
| Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location |
| Create a symlink that tricks the application into thinking that a malicious library is the legitimate library. |
| Use DLL side-loading to place a malicious verison of a DLL in the windows directory. |
Determine application's/system's password policy: Determine the password policies of the target application/system.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
Select dictionaries: Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)
| Techniques |
|---|
| Select dictionary based on particular users' preferred languages. |
| Select dictionary based on the application/system's supported languages. |
Determine username(s) to target: Determine username(s) whose passwords to crack.
| Techniques |
|---|
| Obtain username(s) by sniffing network packets. |
| Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not) |
| Obtain usernames from filesystem (e.g. list of directories in C:\\Documents and Settings\\ in Windows, and list in /etc/passwd in UNIX-like systems) |
Use dictionary to crack passwords.: Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.
| Techniques |
|---|
| Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s). |
| Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s). |
Analyze and Understand Session IDs: The attacker finds that the targeted application use session credentials to identify legitimate users.
| Techniques |
|---|
| An attacker makes many anonymous connections and records the session IDs. |
| An attacker makes authorized connections and records the session tokens or credentials. |
Create Session IDs.: Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.
| Techniques |
|---|
| The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies. |
Abuse the Victim's Session Credentials: The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.
| Techniques |
|---|
| The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality. |
| The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim. |
Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using subsitituion on the victim's side.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs to process requests. |
| Use a browser to manually explore the website and analyze how the application processes requests. |
Craft malicious payload: The adversary crafts a malicious message containing nested exponential expansion that completely uses up available server resources. See the \"Example Instances\" section for details on how to craft this malicious payload.
Send the message: Send the malicious crafted message to the target URL.
Survey the application for user-controllable inputs as URL parameters: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application, looking for URLs which use parameters.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Cause application to return error page: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters into the parameters to see if an error page occurs, and if the injected payload is executed by the error page.
| Techniques |
|---|
| Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Use a list of HTML special characters to inject into parameters of known URLs and check if they caused errors |
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS through an error page, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
| Techniques |
|---|
| Change a URL parameter to include a malicious script tag. |
| Send information gathered from the malicious script to a remote endpoint. |
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. |
Probe identified potential entry points for XSS vulnerability: Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before using alternate syntax. These inputs are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and try many variations of characters injection that would enable the XSS payload. They record all the responses from the server that include unmodified versions of their script.
| Techniques |
|---|
| Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
| Techniques |
|---|
| Change a URL parameter to include a malicious script tag created using alternate syntax to bypass filters. |
| Send information gathered from the malicious script to a remote endpoint. |
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
Investigate account lockout behavior of system: Investigate the security features present in the system that may trigger an account lockout
| Techniques |
|---|
| Analyze system documentation to find list of events that could potentially cause account lockout |
| Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly |
| Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out. |
Obtain list of user accounts to lock out: Generate a list of valid user accounts to lock out
| Techniques |
|---|
| Obtain list of authorized users using another attack pattern, such as SQL Injection. |
| Attempt to create accounts if possible; system should indicate if a user ID is already taken. |
| Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts. |
Lock Out Accounts: Perform lockout procedure for all accounts that the attacker wants to lock out.
| Techniques |
|---|
| For each user ID to be locked out, perform the lockout procedure discovered in the first step. |
Determine the ciphertext and the encryption algorithm.
Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.
Survey the target: Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs that process requests with serialized data. |
| Use a browser to manually explore the website and analyze how the application processes serialized data requests. |
Craft malicious payload: The adversary crafts malicious data message that contains references to sensitive files.
Launch an External Linking attack: Send the malicious crafted message containing the reference to a sensitive file to the target URL.
Identify Application Cache: An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.
| Techniques |
|---|
| Use probing tools to look for application cache files on a machine. |
| Use a web application and determine if any sensitive information is stored in browser cache. |
Attempt to Access Cache: Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.
| Techniques |
|---|
| Use priviledge escalation to access cache files that might have strict privileges. |
| If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption. |
Lift Sensitive Data from Cache: After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.
| Techniques |
|---|
| Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions. |
The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.
Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach
The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.
Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.
Probing: The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.
| Techniques |
|---|
| The adversary probes by exploring an application's functionality and its underlying mapping to server-side components. |
| The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation. |
Determine which functionality to disable or remove: The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.
| Techniques |
|---|
| The adversary reverse engineers the client-side code to determine which functionality to disable or remove. |
Disable or remove the critical functionality from the client code: Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.
| Techniques |
|---|
| The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server. |
Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all areas that allow a user to upload content through an HTTP POST request. This is typically found in blogs or forums.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to file upload features |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Probe identified potential entry points for MIME type mismatch: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and uploads files with scripting content, but whose MIME type is specified as a file type that cannot execute scripting content. If the application only checks the MIME type of the file, it may let the file through, causing the script to be executed by any user who accesses the file.
| Techniques |
|---|
| Upload a script file with a MIME type of text/plain to a forum and then access the uploaded file to see if the script is executed. If possible, the script displays a unique identifier so the adversary knows for certain it was executed when testing. |
Store malicious XSS content: Once the adversary has determined which file upload locations are vulnerable to MIME type mismatch, they will upload a malicious script disguised as a non scripting file. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.
| Techniques |
|---|
| Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks. |
Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.
| Techniques |
|---|
| Send a phishing email to the victim containing a URL that will direct them to the malicious stored content. |
| Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum. |
Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.
| Techniques |
|---|
| Spider all available pages |
| Attack known bad interfaces |
| Search outward-facing configuration and properties files for identifiers. |
Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.
| Techniques |
|---|
| An adversary makes many anonymous connections and records the session IDs assigned. |
| An adversary makes authorized connections and records the session tokens or credentials issued. |
| An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system. |
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.
Observe communication and inputs: The fuzzing adversary observes the target system looking for inputs and communications between modules, subsystems, or systems.
| Techniques |
|---|
| Network sniffing. Using a network sniffer such as wireshark, the adversary observes communications into and out of the target system. |
| Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the adversary observes the system calls and API calls that are made by the target system, and the nature of their parameters. |
| Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.) |
Generate fuzzed inputs: Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.
| Techniques |
|---|
| Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80). |
| Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system. |
Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if there are any log or error messages that might provide information to map the application
Craft exploit payloads: An adversary usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the adversary may try changing the origin IP addresses or client browser identification strings or start a new session from where they left off in obfuscating the attack.
| Techniques |
|---|
| Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped. |
| If the application rejects the large amount of fuzzing messages from the same host machine, the adversary needs to hide the attacks by changing the IP addresses or other credentials. |