Removing/short-circuiting 'guard logic'
Attack Pattern ID: 56 (Standard Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description

Summary

Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data.

The attack may involve gaining access to and calling protected functionality (or accessing protected data) directly, may involve subverting some aspect of the guard's implementation, or outright removal of the guard, if possible.

Attack Execution Flow

  1. The attacker determines, through brute-forcing, reverse-engineering or other similar means, the location and logic of the guard element

  2. The attacker then tries to determine the mechanism to circumvent the guard.

  3. Once the mechanism has been determined, the attacker proceeds to access the protected functionality

+ Attack Prerequisites

The Attacker must have reverse-engineered the application and its design extensively enough to have determined that a guard element exists. This may have been done as simply as through probing (and likely receiving too verbose an error message) or could have involved high-brow techniques supported by advanced reverse engineering/debugging tools.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Examples-Instances

Description

Attacker uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the Attacker directly navigates to the privileged functionality arund the authorizing single-front controller (implementing programmatic authorization checks).

Description

Attacker reverse-engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the Attacker simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker must ability to understand complex design logic as well as possibly the ability to reverse-engineer the design and code to determine placement and logic of guard element.

+ Resources Required

The attacker needs the ability to explore the application's functionality and response to various conditions.

In cases where the guard component sits server-side, the attacker will likely require a valid login.

In the case that guard functionality exists client-side, the attacker will likely require reverse-engineering tools, such as a disassembler.

+ Probing Techniques

Attackers may confine (and succeed with) probing as simple as exploring an application's functionality and its underlying mapping to server-side components. It is likely that for this to succeed, the Attacker will need a valid login.

At the other extreme, Attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through whitebox analysis, such as review of reverse-engineered code.

+ Attack Motivation-Consequences
  • Privilege Escalation
  • Information Leakage
  • Data Modification
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
288Authentication Bypass Using an Alternate Path or ChannelTargeted
372Incomplete Internal State DistinctionSecondary
510TrapdoorTargeted
693Protection Mechanism FailureTargeted
721OWASP Top Ten 2007 Category A10 - Failure to Restrict URL AccessTargeted
+ Related Vulnerabilities
Vulnerability IDRelationship Description
CVE-2007-0968

Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections.

CVE-2007-0802

Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter.

VU#258834

WebEOC ties privileges and roles to client-side resources. If an attacker can access a resource directly, that attacker will be granted all the privileges associated with that resource.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern207Removing Important Functionality from the Client 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern200Removal of filters: Input filters, output filters, data masking 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern208Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern239Subversion of authorization checks: cache filtering, programmatic security, etc. 
Mechanism of Attack (primary)1000
+ Related Security Principles
  • Defense in Depth

  • Complete Mediation

  • Failing Securely

+ Related Guidelines
  • Use Authentication Mechanisms, Where Appropriate, Correctly

  • Use Authorization Mechanisms Correctly

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
John StevenCigital, Inc2007-02-10Initial core pattern content
Modifications
ModifierOrganizationDateComments
Chiradeep B. ChhayaCigital, Inc2007-02-23Fleshed out pattern with extra content