Data Leakage Attacks |
Category ID: 118 | Status: Draft |
Summary
An attacker uses well-formed requests to an application, service, or device that results in the inadvertant disclosure of sensitive information by exploiting weaknesses in the design or configuration of the target resulting in the target revealing more information to an attacker than intended. The attacker may collect this information through a variety of methods including active querying as well as passive observation. Information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information may be the end goal of the attacker in some cases. Information retrieved may aid the attacker in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the attacker's objectives. Data leaks may come various forms, including confidential information stored in inscure directories, or via services that provide rich error or diagnostic messages in response to normal queries.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
404 | Improper Resource Shutdown or Release | Targeted |
The target must have some piece of sensitive information that can collected by an attacker.
The attacker must have tools to collect the information from the target. This requires a client capable of interacting with the target. For web applications, a web browser or tools such as MITM (Man-In-the-Middle) Proxy.
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Category | 346 | WASC Threat Classification 2.0 - WASC-13 - Information Leakage | WASC Threat Classification 2.0333 | |
ParentOf | Attack Pattern | 116 | Data Excavation Attacks | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 117 | Data Interception Attacks | Mechanism of Attack (primary)1000 | |
MemberOf | View | 1000 | Mechanism of Attack | Mechanism of Attack1000 |