Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | M | 122 | Privilege Abuse |
| ParentOf | D | 58 | Restful Privilege Elevation |
| ParentOf | D | 679 | Exploitation of Improperly Configured or Implemented Memory Protections |
| ParentOf | D | 680 | Exploitation of Improperly Controlled Registers |
| ParentOf | D | 681 | Exploitation of Improperly Controlled Hardware Security Identifiers |
| ParentOf | D | 702 | Exploiting Incorrect Chaining or Granularity of Hardware Debug Components |
| CanFollow | S | 663 | Exploitation of Transient Instruction Execution |
| CanPrecede | S | 17 | Using Malicious Files |
Survey
The attacker surveys the target application, possibly as a valid and authenticated user.
| Technique |
|---|
| Spider the web site for all available links. |
| Brute force to guess all function names/action with different privileges. |
Identify weak points in access control configurations
The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured.
| Technique |
|---|
| The attacker attempts authenticated access to targeted functions and data. |
| The attacker attempts unauthenticated access to targeted functions and data. |
| The attacker attempts indirect and side channel access to targeted functions and data. |
Access the function or data bypassing the access control
The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.
| Technique |
|---|
| The attacker executes the function or accesses the data not authorized to them. |
In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| Integrity | N/A | Modify Data | N/A |
| Confidentiality | N/A | Read Data | N/A |
| Authorization | N/A | Execute Unauthorized Commands | Run Arbitrary Code |
| Authorization | N/A | Gain Privileges | N/A |
| Access ControlAuthorization | N/A | Bypass Protection Mechanism | N/A |
| Availability | N/A | Unreliable Execution | N/A |
| ID | Name |
|---|---|
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control |
| CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control |
| CWE-1220 | Insufficient Granularity of Access Control |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents |
| CWE-1280 | Access Control Check Implemented After Asset is Accessed |
| CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
| CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge |
| CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
| Taxonomy Name | Entry ID | Entry Name |
|---|---|---|
| ATTACK | 1574.010 | Hijack Execution Flow: Services File Permissions Weaknesses |