Passively Sniff and Capture Application Code Bound for Authorized Client
Attack Pattern ID: 65 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description


Attackers can capture appplication code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.

Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

Attack Execution Flow

  1. The attacker sets up a sniffer (and an interceptor, as the motive of the attack may be) in the path between the server and the client

  2. The captured code is then used as part of a larger attack, such as reverse-engineering the code or denying its delivery to the client or altering its contents on way to the client

+ Attack Prerequisites

The attacker must have the ability to place himself in the communication path between the client and server.

The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.

The attacker must be able to employ a sniffer on the network without being detected.

+ Typical Likelihood of Exploit

Likelihood: Low

+ Examples-Instances


Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication.

The attacker then proceeds to reverse engineer the captured stream.


Plain code, such as applets or Javascript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ a man-in-the-middle attack, the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.

+ Resources Required

The Attacker needs the ability to capture communications between the client being updated and the server providing the update.

In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.

+ Attack Motivation-Consequences
  • Information Leakage
  • Privilege Escalation
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
319Cleartext Transmission of Sensitive InformationTargeted
311Missing SecurityDatabase\Encrypt\Encryption of Sensitive DataSecondary
318Plaintext Storage in ExecutableSecondary
693Protection Mechanism FailureTargeted
719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic StorageTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern37Lifting Data Embedded in Client Distributions 
Mechanism of Attack1000
ChildOfAttack PatternAttack Pattern158Sniffing Information Sent Over Public/multicast Networks 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern258Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern259Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern260Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution 
Mechanism of Attack (primary)1000
+ Relevant Security Requirements

Do not store secrets in client code

All potentially sensitive data, including code, transmitted to the client must be encrypted

+ Related Security Principles
  • Never Assuming that Your Secrets Are Safe

  • Securing the Weakest Link

+ Related Guidelines
  • Use Well-Known Cryptography Appropriately and Correctly

  • Use Authentication Mechanisms, Where Appropriate, Correctly

+ Purposes
  • Reconnaissance
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
+ Content History
John StevenCigital, Inc2007-02-10Initial core pattern content
Chiradeep B. ChhayaCigital, Inc2007-02-23Fleshed out pattern with extra content
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback