CAPEC-56 - Removing/short-circuiting 'guard logic'

Attackers can, in some cases, get around logic put in place to 'guard' sensitive functionality or data.

The attack may involve gaining access to and calling protected functionality (or accessing protected data) directly, may involve subverting some aspect of the guard's implementation, or outright removal of the guard, if possible.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Purposes 1
  • Penetration
  • Sec Principles 3
  • Defense in Depth
  • Complete Mediation
  • Failing Securely
  • Scopes 3
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality
  • Read memory
  • Confidentiality
  • Modify memory
  • Integrity

Medium level: The attacker must ability to understand complex design logic as well as possibly the ability to reverse-engineer the design and code to determine placement and logic of guard element.

The Attacker must have reverse-engineered the application and its design extensively enough to have determined that a guard element exists. This may have been done as simply as through probing (and likely receiving too verbose an error message) or could have involved high-brow techniques supported by advanced reverse engineering/debugging tools.

The attacker needs the ability to explore the application's functionality and response to various conditions.

Attackers may confine (and succeed with) probing as simple as exploring an application's functionality and its underlying mapping to server-side components. It is likely that for this to succeed, the Attacker will need a valid login.

At the other extreme, Attackers capable of reverse engineering client code will have the ability to remove functionality or identify the whereabouts of sensitive data through white box analysis, such as review of reverse-engineered code.

Use Authentication Mechanisms, Where Appropriate, Correctly

Use Authorization Mechanisms Correctly

Step 1 -

The attacker determines, through brute-forcing, reverse-engineering or other similar means, the location and logic of the guard element.


Step 1 -

The attacker then tries to determine the mechanism to circumvent the guard..


Step 1 -

Once the mechanism has been determined, the attacker proceeds to access the protected functionality.