Passively Sniff and Capture Application Code Bound for Authorized Client |
Attack Pattern ID: 65 (Standard Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
Attackers can capture appplication code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server.
Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Attack Execution Flow
The attacker sets up a sniffer (and an interceptor, as the motive of the attack may be) in the path between the server and the client
The captured code is then used as part of a larger attack, such as reverse-engineering the code or denying its delivery to the client or altering its contents on way to the client
The attacker must have the ability to place himself in the communication path between the client and server.
The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.
The attacker must be able to employ a sniffer on the network without being detected.
Description
Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication.
The attacker then proceeds to reverse engineer the captured stream.
Description
Plain code, such as applets or Javascript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such.
Skill or Knowledge Level: Medium
The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ a man-in-the-middle attack, the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.
The Attacker needs the ability to capture communications between the client being updated and the server providing the update.
In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
319 | Cleartext Transmission of Sensitive Information | Targeted |
311 | Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data | Secondary |
318 | Plaintext Storage in Executable | Secondary |
693 | Protection Mechanism Failure | Targeted |
719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Targeted |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 37 | Lifting Data Embedded in Client Distributions | Mechanism of Attack1000 | |
ChildOf | Attack Pattern | 158 | Sniffing Information Sent Over Public/multicast Networks | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 258 | Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 259 | Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching | Mechanism of Attack (primary)1000 | |
ParentOf | Attack Pattern | 260 | Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution | Mechanism of Attack (primary)1000 |
Do not store secrets in client code
All potentially sensitive data, including code, transmitted to the client must be encrypted
Use Well-Known Cryptography Appropriately and Correctly
Use Authentication Mechanisms, Where Appropriate, Correctly
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | Comments | |
John Steven | Cigital, Inc | 2007-02-10 | Initial core pattern content |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Chiradeep B. Chhaya | Cigital, Inc | 2007-02-23 | Fleshed out pattern with extra content | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Related Attack Patterns | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |