API Abuse/Misuse
Attack Pattern ID: 113 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description


An attacker manipulates the processing of Application Programming Interface (API) resulting in the API's function having an adverse impact upon the security of the system or application implementing the API. This can allow the attacker to execute functionality not intended by the API implementation, possibly compromising the system or application which integrates the API. API Abuse can take on a number of forms. For example, the API may trust that the calling function properly validates its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution. Another example could be API methods that should be disabled in a production application but were not, thus exposing dangerous functionality within a production environment.

+ Attack Prerequisites

The target system must expose API functionality in a manner that can be discovered and manipulated by an attacker. This may require reverse engineering the API syntax or decrypting/de-obfuscating client-server exchanges.

+ Resources Required

The requirements vary depending upon the nature of the API. For application-layer APIs related to the processing of the HTTP protocol, one or more of the following may be needed: a MITM (Man-In-The-Middle) proxy, a web browser, or a programming/scripting language.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory210Abuse of Functionality 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern36Using Unpublished Web Service APIs 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern121Locate and Exploit Test APIs 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern160Programming to included script-based APIs 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern179Discovering, querying, and finally calling micro-services, such as w/ AJAX 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern211Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior 
Mechanism of Attack (primary)1000