CAPEC - CAPEC-160: Exploit Script-Based APIs (Version 3.9)


Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks

Home > CAPEC List > CAPEC-160: Exploit Script-Based APIs (Version 3.9)

CAPEC-160: Exploit Script-Based APIs

Attack Pattern ID: 160

Abstraction: Standard

View customized information:

Description

Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.

Typical Severity

Medium

Relationships

This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	113	Interface Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Abuse Existing Functionality

Execution Flow

Explore

Identify API: Discover an API of interest by exploring application documentation or observing responses to API calls
Techniques
Search via internet for known, published APIs that support scripting instructions as arguments

Experiment

Test simple script: Adversaries will attempt to give a smaller script as input to the API, such as simply printing to the console, to see if the attack is viable.
Techniques
Create a general script to be taken as input by the API

Exploit

Give malicious scripting instructions to API: Adversaries will now craft custom scripts to do malicious behavior. Depending on the setup of the application this script could be run with user or admin level priveleges.
Techniques
Crafting a malicious script to be run on a system based on priveleges and capabilities of the system

Prerequisites

The target application must include the use of APIs that execute scripts.

The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
346	Origin Validation Error

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-12-07 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015-12-07 (Version 2.8)	Updated Description Summary
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
Previous Entry Names
Change Date	Previous Entry Name
2015-12-07 (Version 2.8)	Programming to included script-based APIs

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.