Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CAPEC-160:Exploit Script-Based APIs
Attack Pattern ID:160
Version:v3.9
Attack Pattern Name:Exploit Script-Based APIs
Abstraction:Standard
Status:Draft
Likelihood of Attack:
Typical Severity:Medium
DetailsContent HistoryRelated WeaknessesReports
▼Description
Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support
▼Extended Description
▼Alternate Terms
▼Relationships
NatureTypeIDName
ChildOfM113Interface Manipulation
Nature: ChildOf
Type: Meta
ID: 113
Name: Interface Manipulation
▼Execution Flow
Explore
1.

Identify API

Discover an API of interest by exploring application documentation or observing responses to API calls

Technique
Search via internet for known, published APIs that support scripting instructions as arguments
Experiment
1.

Test simple script

Adversaries will attempt to give a smaller script as input to the API, such as simply printing to the console, to see if the attack is viable.

Technique
Create a general script to be taken as input by the API
Exploit
1.

Give malicious scripting instructions to API

Adversaries will now craft custom scripts to do malicious behavior. Depending on the setup of the application this script could be run with user or admin level priveleges.

Technique
Crafting a malicious script to be run on a system based on priveleges and capabilities of the system
▼Prerequisites
The target application must include the use of APIs that execute scripts.
The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.
▼Skills Required
▼Resources Required
None: No specialized resources are required to execute this type of attack.
▼Indicators
▼Consequences
ScopeLikelihoodImpactNote
▼Mitigations
▼Example Instances
▼Related Weaknesses
IDName
CWE-346Origin Validation Error
ID: CWE-346
Name: Origin Validation Error
▼Taxonomy Mappings
Taxonomy NameEntry IDEntry Name
▼Notes
▼References
Details not found