CAPEC-207 - Removing Important Functionality from the Client
An attacker removes or disables functionality on the client that the server assumes to be present and trustworthy. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an attacker can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.
Severity
Likelihood
Confidentiality
Integrity
Availability
- Attack Methods 2
- Analysis
- Modification of Resources
- Purposes 2
- Exploitation
- Penetration
- Scopes 9
- "Varies by context"
- Confidentiality
- Modify files or directories
- Integrity
- Read files or directories
- Confidentiality
- Modify application data
- Integrity
- Read memory
- Confidentiality
- Modify memory
- Integrity
- Read application data
- Confidentiality
- Gain privileges / assume identity
- Non-Repudiation
- Authorization
- Authentication
- Accountability
- Bypass protection mechanism
- Authorization
- Access_Control
High level: To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.
The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.
The attacker must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.
Step 1 - Probing
The attacker probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy..
Tecnique ID: 1 - Environment(s) env-Web env-ClientServer
Tecnique ID: 2 - Environment(s) env-Web env-ClientServer
Indicator ID: 1 - Environment(s) env-Web env-ClientServer
Type: Positive
The server relies on some functionality on the client for correct and secure operation.
Indicator ID: 2 - Environment(s) env-Web env-ClientServer
Type: Negative
The server does not rely on any functionality on the client.
Security Control ID: 1
Type: Preventative
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
Outcome ID: 1
Type: Success
A list of functionality on the client that the server assumes to be present and trustworthy.
Step 1 - Determine which functionality to disable or remove
The attacker tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase..
Tecnique ID: 1 - Environment(s) env-Web env-ClientServer
Security Control ID: 1
Type: Preventative
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
Outcome ID: 1
Type: Success
The attacker understands and can disable or remove the critical functionality from the client code.
Step 1 - Disable or remove the critical functionality from the client code
Once the functionality has been determined, the attacker disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited..
Tecnique ID: 1 - Environment(s) env-Web env-ClientServer
Security Control ID: 1
Type: Preventative
Use obfuscation and other techniques to prevent reverse engineering the client-side code.
Security Control ID: 2
Type: Preventative
For any security checks that are performed on the client-side, ensure that these checks are duplicated on the server side.
Outcome ID: 1
Type: Success
The attacker can perform malicious actions that the server believes are prohibited.
Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.
Design: Ship client-side application with integrity checks (code signing) when possible.
Design: Use obfuscation and other techniques to prevent reverse engineering the client code.