Data Leakage Attacks
Category ID: 118Status: Draft
+ Description

Summary

An attacker uses well-formed requests to an application, service, or device that results in the inadvertant disclosure of sensitive information by exploiting weaknesses in the design or configuration of the target resulting in the target revealing more information to an attacker than intended. The attacker may collect this information through a variety of methods including active querying as well as passive observation. Information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information may be the end goal of the attacker in some cases. Information retrieved may aid the attacker in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the attacker's objectives. Data leaks may come various forms, including confidential information stored in inscure directories, or via services that provide rich error or diagnostic messages in response to normal queries.
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
404Improper Resource Shutdown or ReleaseTargeted
+ Attack Prerequisites

The target must have some piece of sensitive information that can collected by an attacker.

+ Resources Required

The attacker must have tools to collect the information from the target. This requires a client capable of interacting with the target. For web applications, a web browser or tools such as MITM (Man-In-the-Middle) Proxy.

+ Relationships
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory346WASC Threat Classification 2.0 - WASC-13 - Information Leakage 
WASC Threat Classification 2.0333
ParentOfAttack PatternAttack Pattern116Data Excavation Attacks 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern117Data Interception Attacks 
Mechanism of Attack (primary)1000
MemberOfViewView1000Mechanism of Attack 
Mechanism of Attack1000