Create Malicious Client
Attack Pattern ID: 202 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description


An attacker creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures. For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an attacker can take advantage of these assumptions to abuse service functionality. For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the attacker uses a malicious client, however, the attacker could ignore the server input and declare any total price. Likewise, an attacker could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance.

Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an attacker can exploit.

This attack differs from most other forms of identity spoofing in that the attacker is not attempting to impersonate a specific user or device. Instead, the attacker attempts to impersonate a class of applications, namely the client applications of a service. As such, the attacker is not violating the service's trust in an identity, but its trust in expected behavior.

+ Attack Prerequisites

The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an attacker.

+ Resources Required

The attacker must be able to reverse engineer a client of the targeted service. However, the attacker does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
602Client-Side Enforcement of Server-Side SecurityTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern22Exploiting Trust in Client (aka Make the Client Invisible) 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern151Identity Spoofing (Impersonation) 
Mechanism of Attack (primary)1000