Execution Flow
Explore
-
Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where they want to bypass it.
| Techniques |
|---|
| While using an application/system, the attacker discovers an input where validation is stopping them from performing some malicious or unauthorized actions. |
Experiment
-
Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.
-
Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.
| Techniques |
|---|
| Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\\' |
| Determine whether URL encoding is accepted by the application/system. |
| Determine whether UTF-8 encoding is accepted by the application/system. |
| Determine whether UTF-16 encoding is accepted by the application/system. |
| Determine if any other encodings are accepted by the application/system. |
| Techniques |
|---|
| Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: \"\\\\\\.\". With two parsing layers, this may get converted to \"\\.\" after the first parsing layer, and then, to \".\" after the second. If the input validation layer is between the two parsing layers, then \"\\\\\\.\\\\\\.\" might pass a test for \"..\" but still get converted to \"..\" afterwards. This may enable directory traversal attacks. |
| Combine multiple encodings and observe the effects. For example, the attacker might encode \".\" as \"\\.\", and then, encode \"\\.\" as \"\.\", and then, encode that using URL encoding to \"%26%2392%3B%26%2346%3B\" |
Exploit
-
Leverage ability to bypass input validation: Attacker leverages their ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.
| Techniques |
|---|
| Gain access to sensitive files. |
| Perform command injection. |
| Perform SQL injection. |
| Perform XSS attacks. |
Execution Flow
Explore
-
The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.
Experiment
-
The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location.
-
The adversary deploys this file to the software, observing its behavior. If the source code is available, the adversary can carefully craft the malicious file to execute the intended behavior. If the source code is not available, the adversary will iteratively alter the file to reach the intended behavior
Exploit
-
Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software.
-
Upon successful exploitation, the system either crashes or control of the program is returned to a location of the adversaries' choice. This can result in execution of arbitrary code or escalated privileges, depending upon the exploited target.
Execution Flow
Exploit
-
The attacker creates or modifies a symbolic link pointing to a resources (e.g., file, directory). The content of the symbolic link file includes out-of-bounds (e.g. excessive length) data.
-
The target host consumes the data pointed to by the symbolic link file. The target host may either intentionally expect to read a symbolic link or it may be fooled by the replacement of the original resource and read the attackers' symbolic link.
-
While consuming the data, the target host does not check for buffer boundary which can lead to a buffer overflow. If the content of the data is controlled by the attacker, this is an avenue for remote code execution.
Execution Flow
Explore
-
Determine Target System: In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.
| Techniques |
|---|
| If needed, the adversary explores an organization's network to determine if any specific systems of interest exist. |
Experiment
-
Develop or Obtain malware and install on a USB device: The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.
| Techniques |
|---|
| The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes. |
Exploit
-
Connect or deceive a user into connecting the infected USB device: Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.
| Techniques |
|---|
| The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc. |
Execution Flow
Exploit
-
The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.
-
The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.
-
The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.
Execution Flow
Experiment
-
The attacker modifies a tag or variable from a formatted configuration data. For instance they change it to an oversized string.
Exploit
-
The target program consumes the data modified by the attacker without prior boundary checking. As a consequence, a buffer overflow occurs and at worst remote code execution may follow.
Execution Flow
Explore
-
Consider parts of the program where user supplied data may be expanded by the program. Use a disassembler and other reverse engineering tools to guide the search.
Experiment
-
Find a place where a buffer overflow occurs due to the fact that the new expanded size of the string is not correctly accounted for by the program. This may happen perhaps when the string is copied to another buffer that is big enough to hold the original, but not the expanded string. This may create an opportunity for planting the payload and redirecting program execution to the shell code.
Exploit
-
Write the buffer overflow exploit. To be exploitable, the \"spill over\" amount (e.g. the difference between the expanded string length and the original string length before it was expanded) needs to be sufficient to allow the overflow of the stack return pointer (in the case of a stack overflow), without causing a stack corruption that would crash the program before it gets to execute the shell code. Heap overflow will be more difficult and will require the attacker to get more lucky, by perhaps getting a chance to overwrite some of the accounting information stored as part of using malloc().
Execution Flow
Explore
-
The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.
Experiment
-
The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.
-
Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.
-
If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
-
In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command \"select @@plugin_dir\"
Exploit
-
The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file \"{plugin directory}\\\\udf.dll\";
-
Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is \"create function sys_eval returns string soname 'udf.dll';\" The function sys_eval is specific to the example DLL listed above.
-
Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: \"select sys_eval('dir');\". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.
Execution Flow
Explore
-
Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.
| Techniques |
|---|
| The attacker uses a tool such as the OSX \"otool\" utility or manually probes whether the target application uses dynamically linked libraries. |
| The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted. |
Experiment
-
Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.
| Techniques |
|---|
| The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application. |
Exploit
-
Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.
| Techniques |
|---|
| The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted. |
| The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132. |
| The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38. |
Execution Flow
Explore
-
Identify web application URL inputs: Review application inputs to find those that are designed to be URLs.
| Techniques |
|---|
| Manually navigate web site pages to identify URLs. |
| Use automated tools to identify URLs. |
Experiment
-
Identify URL inputs allowing local access.: Execute test local commands via each URL input to determine which are successful.
| Techniques |
|---|
| Manually execute a local command (such as 'pwd') via the URL inputs. |
| Using an automated tool, test each URL input for weakness. |
Exploit
-
Execute malicious commands: Using the identified URL inputs that allow local command execution, execute malicious commands.
| Techniques |
|---|
| Execute local commands via the URL input. |
Execution Flow
Explore
-
Determine application's/system's password policy: Determine the password policies of the target application/system.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
Exploit
-
Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.
| Techniques |
|---|
| Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. |
| Perform an offline dictionary attack or a rainbow table attack against a known password hash. |
Execution Flow
Explore
-
Understand the password recovery mechanism and how it works.
Exploit
-
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
Execution Flow
Explore
-
Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.
| Techniques |
|---|
| Determine what tasks prompt a user for their credentials. |
| Determine what tasks may prompt a user to authorize a process to execute with elevated privileges. |
Exploit
-
Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.
| Techniques |
|---|
| Prompt a user for their credentials, while making the user believe the credential request is legitimate. |
| Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate. |
Execution Flow
Explore
-
Scan for user accounts with set SPN values
-
Request service tickets
| Techniques |
|---|
| These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means. |
| Techniques |
|---|
| Using user account's SPN value, request other service tickets from Active Directory |
Experiment
-
Extract ticket and save to disk
| Techniques |
|---|
| Certain tools like Mimikatz can extract local tickets and save them to memory/disk. |
Exploit
-
Crack the encrypted ticket to harvest plain text credentials
| Techniques |
|---|
| Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack. |
Execution Flow
Explore
-
Identify a place in the program where user input may be used to escalate privileges by for instance accessing unauthorized file system resources through directory browsing.
-
An attacker realizes that there is a postfix data that gets in the way of getting to the desired resources
Exploit
-
An attacker then ads a postfix NULL terminator to the supplied input in order to \"swallow\" the postfixed data when the insertion is taking place. With the postfix data that got in the way of the attack gone, the doors are opened for accessing the desired resources.
Execution Flow
Explore
-
Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.
| Techniques |
|---|
| Use an automated tool to record all instances of URLs to process XML requests. |
| Use a browser to manually explore the website and analyze how the application processes XML requests. |
Experiment
-
An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.
Exploit
-
Launch a resource depletion attack: The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.
| Techniques |
|---|
| Send a large number of crafted XML messages to the target URL. |
Execution Flow
Experiment
-
An attacker first probes to figure out what restrictions on input are placed by filter, such as a specific characters on the end of the URL.
Exploit
-
The attacker then injects a string of their choosing with a null terminator (using an alternate encoding such as %00), followed by a backslash (%5C), followed by some additional characters that are required to keep the filter happy
-
\n
Execution Flow
Explore
-
Determine the relevent open-source code project to target: The adversary will make the selection based on various criteria:
Experiment
-
Develop a malicious contribution plan: The adversary develops a plan to contribute the malicious code, taking the following into consideration:
Exploit
-
Execute the malicious contribution plan: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.
Execution Flow
Explore
-
Determine user-controllable parameters of the application
Exploit
-
Inject each parameter with content that causes an error condition to manifest
-
Modify the content of each parameter according to observed error conditions
-
Repeat above steps with enough parameters until the application has been sufficiently mapped out to launch desired attack (for example, Blind SQL Injection)
Execution Flow
Explore
-
Determine application's/system's password policy: Determine the password policies of the target application/system.
-
Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.) |
| Obtain password hashes from platform-specific storage locations (e.g. Windows registry) |
| Sniff network packets containing password hashes. |
Exploit
-
Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.
| Techniques |
|---|
| Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy. |
Execution Flow
Explore
-
Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.
-
Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.
| Techniques |
|---|
| An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal credentials as they are transmitted. |
| An adversary gains access to a database and exfiltrates password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded credentials. |
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account). |
Experiment
-
Attempt authentication: Try each credential until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each credential through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application
-
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.
Execution Flow
Explore
-
Acquire known Windows administrator credentials: The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
| Techniques |
|---|
| An adversary purchases breached Windows administrator credentials from the dark web. |
| An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided. |
| An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials. |
Experiment
-
Attempt domain authentication: Try each Windows administrator credential against the hidden network shares until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each administrator credential through the target's interface. |
Exploit
-
Malware Execution: An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.
-
Data Exfiltration: The adversary can remotely obtain sensitive data contained within the administrative network shares.
Execution Flow
Explore
-
Determine target's password policy: Determine the password policies of the target system/application.
-
Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks). |
| Techniques |
|---|
| Select passwords based on common use or a particular user's additional details. |
| Select passwords based on the target's password complexity policies. |
Exploit
-
Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.
| Techniques |
|---|
| Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so. |
| Iterate through the remaining passwords for each known user account. |
Execution Flow
Explore
-
Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.
-
Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
| Techniques |
|---|
| An attacker makes many anonymous connections and records the session IDs assigned. |
| An attacker makes authorized connections and records the session tokens or credentials issued. |
| Techniques |
|---|
| Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections. |
| Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs |
| Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation. |
Experiment
-
Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.
| Techniques |
|---|
| The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match. |
Exploit
-
Use matched Session ID: The attacker uses the falsified session ID to access the target system.
| Techniques |
|---|
| The attacker loads the session ID into their web browser and browses to restricted data or functionality. |
| The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality. |
Execution Flow
Explore
-
Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).
| Techniques |
|---|
| Manually cover the application and record the possible places where arguments could be passed into external systems. |
| Use a spider, for web applications, to create a list of URLs and associated inputs. |
Experiment
-
1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.
| Techniques |
|---|
| Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure). |
| Use a proxy tool to record results, error messages and/or log if accessible. |
Exploit
-
Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.
| Techniques |
|---|
| Manually inject specific payload into targeted argument. |
Execution Flow
Explore
-
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
-
The attacker steals a session ID from a valid user.
Exploit
-
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
Execution Flow
Explore
-
Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.
-
Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.
| Techniques |
|---|
| An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal credentials as they are transmitted. |
| An adversary gains access to a database and exfiltrates password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded credentials. |
| Techniques |
|---|
| Determine minimum and maximum allowed password lengths. |
| Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary). |
| Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account). |
Experiment
-
Attempt authentication: Try each username/password combination until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each username/password combination through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application
-
Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.
Execution Flow
Explore
-
Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.
| Techniques |
|---|
| The attacker chooses a predefined identifier that they know. |
| The attacker creates a trap session for the victim. |
Experiment
-
Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.
| Techniques |
|---|
| Attackers can put links on web sites (such as forums, blogs, or comment forms). |
| Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service. |
| Attackers can email attack URLs to potential victims through spam and phishing techniques. |
Exploit
-
Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.
| Techniques |
|---|
| The attacker loads the predefined session ID into their browser and browses to protected data or functionality. |
| The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.
| Techniques |
|---|
| Register the BitSquatted domain. |
Exploit
-
Wait for a user to visit the domain: Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.
| Techniques |
|---|
| Simply wait for an error in memory to occur, redirecting the user to the malicious domain. |
Execution Flow
Explore
-
Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.
| Techniques |
|---|
| Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server |
| Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server |
| View HTML source of web pages that contain links or buttons that perform actions of interest. |
Experiment
-
Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.
| Techniques |
|---|
| Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000) |
| Create a form that will submit a POST request (e.g. |
Exploit
-
Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.
| Techniques |
|---|
| Execute a phishing attack and send the user an e-mail convincing them to click on a link. |
| Execute a stored XSS attack on a website to permanently embed the malicious link into the website. |
| Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link. |
| Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier. |
| Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier. |
Exploit
-
Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.
-
Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
-
Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.
| Techniques |
|---|
| Register the TypoSquatted domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain. |
| Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.
| Techniques |
|---|
| Research popular or high traffic websites which are also homophones. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.
| Techniques |
|---|
| Register the SoundSquatted domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain. |
| Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain. |
Execution Flow
Explore
-
Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
| Techniques |
|---|
| Research popular or high traffic websites. |
Experiment
-
Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).
| Techniques |
|---|
| Register the Homograph domain. |
Exploit
-
Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the Homograph domain.
| Techniques |
|---|
| Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain. |
Execution Flow
Explore
-
The attacker accesses the server using a specific URL.
Experiment
-
The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.
Exploit
-
The attacker crafts a malicious URL string request and sends it to the server.
-
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.
Execution Flow
Explore
-
Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
| Techniques |
|---|
| An adversary purchases breached Windows credential hash value pairs from the dark web. |
| An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs. |
Experiment
-
Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each Windows credential hash value pair through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
-
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
Execution Flow
Explore
-
\n
| Techniques |
|---|
| The attacker sets up a sniffer in the path between the server and the client. |
Exploit
-
\n
| Techniques |
|---|
| Attacker loads the sniffer to capture the application code bound during a dynamic update. |
| The attacker proceeds to reverse engineer the captured code. |
Execution Flow
Explore
-
Acquire known Kerberos credentials: The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
| Techniques |
|---|
| An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web. |
| An adversary guesses the credentials to a weak Kerberos service account. |
| An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted. |
| An adversary conducts a Kerberoasting attack. |
Experiment
-
Attempt Kerberos authentication: Try each Kerberos credential against various resources within the domain until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each Kerberos service account credential through the target's interface. |
| Attempt a Pass the Ticket attack. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
-
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
Execution Flow
Explore
-
Acquire known Windows credentials: The adversary must obtain known Windows credentials in order to access the target system, application, or service within the domain.
| Techniques |
|---|
| An adversary purchases breached Windows username/password combinations or leaked hashed passwords from the dark web. |
| An adversary leverages a key logger or phishing attack to steal user credentials as they are provided. |
| An adversary conducts a sniffing attack to steal Windows credentials as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credentials. |
Experiment
-
Attempt domain authentication: Try each Windows credential against various systems, applications, and services within the domain until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each credential through the target's interface. |
Exploit
-
Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
-
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
-
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.
Execution Flow
Explore
-
Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.
| Techniques |
|---|
| Determine what tasks prompt a user for their credentials. |
Exploit
-
Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.
| Techniques |
|---|
| Prompt a user for their credentials, while making the user believe the credential request is legitimate. |
Execution Flow
Explore
-
Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.
-
Explore legitimate website and create duplicate: An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.
| Techniques |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) |
| Optionally obtain a legitimate SSL certificate for the new domain name. |
| Techniques |
|---|
| Use spidering software to get copy of web pages on legitimate site. |
| Manually save copies of required web pages from legitimate site. |
| Create new web pages that have the legitimate site's look and feel, but contain completely new content. |
Exploit
-
Convince user to provide sensitive information to the adversary.: An adversary \"cold calls\" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.
-
Use stolen information: Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.
| Techniques |
|---|
| Call the user a from a spoofed legitimate-looking telephone number. |
| Techniques |
|---|
| Login to the legitimate site using another the victim's supplied credentials |
Execution Flow
Explore
-
Survey application: The attacker first takes an inventory of the functionality exposed by the application.
| Techniques |
|---|
| Spider web sites for all available links |
| Sniff network communications with application using a utility such as WireShark. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.
-
Experiment with SQL Injection vulnerabilities: After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Use public resources such as \"SQL Injection Cheat Sheet\" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries. |
| Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : \"' OR 1=1; --\", or something else that would syntactically complete a hypothesized query. Iteratively refine the query. |
| Use \"Blind SQL Injection\" techniques to extract information about the database schema. |
| If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: \"'; DROP TABLE SYSOBJECTS; --\" and \"'); DROP TABLE SYSOBJECTS; --\". These particular queries will likely not work because the SYSOBJECTS table is generally protected. |
Exploit
-
Exploit SQL Injection vulnerability: After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.
| Techniques |
|---|
| Craft and Execute underlying SQL query |
Execution Flow
Explore
-
Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
| Techniques |
|---|
| Search application stores for mobile applications worth exploiting |
Experiment
-
Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.
| Techniques |
|---|
| Develop code or leverage existing code to bypass Root/Jailbreak detection methods. |
| Test the code to see if it works. |
| Iteratively develop the code until Root/Jailbreak detection methods are evaded. |
Exploit
-
Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.
| Techniques |
|---|
| Hook code into the target application. |
Execution Flow
Explore
-
Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
| Techniques |
|---|
| Search application stores for mobile applications worth exploiting |
Experiment
-
Debug the target application: The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.
-
Remove application signature verification methods: Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.
| Techniques |
|---|
| Insert the debugger at the mobile application's program entry point, after the application's signature has been identified. |
| Dump the memory region containing the now decrypted code from the address space of the binary. |
Exploit
-
Execute the application and evade Root/Jailbreak detection methods: The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.
| Techniques |
|---|
| Optional: Hook code into the target application. |
Execution Flow
Explore
-
The attacker finds that they can inject data to the format string parameter of Syslog().
Exploit
-
The attacker craft a malicious input and inject it into the format string parameter. From now on, the attacker can execute arbitrary code and do more damage.
Execution Flow
Explore
-
The attacker probes for programs running with elevated privileges.
-
The attacker finds a bug in a program running with elevated privileges.
Exploit
-
The attacker exploits the bug that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.
Execution Flow
Explore
-
[Hypothesize SQL queries in application]
-
[Determine how to inject information into the queries]
| Techniques |
|---|
| Research types of SQL queries and determine which ones could be used at various places in an application. |
| Techniques |
|---|
| Add clauses to the SQL queries such that the query logic does not change. |
| Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.
-
Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
| Techniques |
|---|
| Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only) |
| Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only) |
| Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not). |
Exploit
-
Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.
-
Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database
| Techniques |
|---|
| Automatically extract database schema using a tool such as Absinthe. |
| Manually perform the blind SQL Injection to extract desired information about the database schema. |
| Techniques |
|---|
| Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Try to use Unicode encoding of content in Scripts in order to bypass validation routines. |
| Try to use Unicode encoding of content in HTML in order to bypass validation routines. |
| Try to use Unicode encoding of content in CSS in order to bypass validation routines. |
Execution Flow
Explore
-
The attacker accesses the server using a specific URL.
Experiment
-
The attacker tries to encode some special characters in the URL. The attacker finds out that some characters are not filtered properly.
Exploit
-
The attacker crafts a malicious URL string request and sends it to the server.
-
The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters may have harmful consequences.
Execution Flow
Explore
-
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
Experiment
-
The adversary now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
Exploit
-
Having determined how to manipulate the state, the adversary can perform illegitimate actions.
Execution Flow
Explore
-
Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is.
-
Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Spider web sites for all available links, entry points to the web site. |
| Manually explore application and inventory all application inputs |
Experiment
-
Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application
| Techniques |
|---|
| Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.) |
| Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests |
| Inject context-appropriate malicious file system control syntax |
Exploit
-
Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)
| Techniques |
|---|
| The attacker injects context-appropriate malicious file path to access the content of the targeted file. |
| The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file. |
| The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file. |
| The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file. |
| The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file. |
| The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file. |
Execution Flow
Explore
-
The attacker communicates with the application server using a thin client (browser) or thick client.
Experiment
-
While communicating with the server, the attacker finds that they can control and override a variable consumed by the application server.
Exploit
-
The attacker overrides the variable and influences the normal behavior of the application server.
Execution Flow
Experiment
-
The attacker can send input data to the host target (e.g., via http request or command line request
-
The attacker craft malicious input data which includes escaped slashes. The attacker may need multiple attempts before finding a successful combination.
Execution Flow
Experiment
-
The attacker has access to a resource path and required to use slashes as resource delimiter.
-
The attacker tries variation and combination of the slashes characters in different encoding format.
-
The attacker found an unfiltered combination which maps to a valid path and accesses unauthorized resources (directories, files, etc.)
Execution Flow
Experiment
-
An attacker can call an API exposed by the target host.
-
On the probing stage, the attacker injects malicious code using the API call and observes the results. The attacker's goal is to uncover a buffer overflow vulnerability.
Exploit
-
The attacker finds a buffer overflow vulnerability, crafts malicious code and injects it through an API call. The attacker can at worst execute remote code on the target host.
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.
| Techniques |
|---|
| Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines. |
| Try to use UTF-8 encoding of content in HTML in order to bypass validation routines. |
| Try to use UTF-8 encoding of content in CSS in order to bypass validation routines. |
Execution Flow
Explore
-
Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.
| Techniques |
|---|
| Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information. |
Experiment
-
Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.
| Techniques |
|---|
| Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc. |
Exploit
-
Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
| Techniques |
|---|
| \n |
| \n |
| Directly through log file or database manipulation, modify existing log entries. |
Execution Flow
Explore
-
Survey the target: Using a browser or an automated tool, an attacker records all instances of user-controllable input used to contruct XPath queries.
-
Determines the structure of queries: Using manual or automated means, query inputs found for XPath weaknesses.
| Techniques |
|---|
| Use an automated tool to record all instances of user-controllable input used to contruct XPath queries. |
| Use a browser to manually explore the website and analyze how the application processes inputs. |
| Techniques |
|---|
| Use an automated tool automatically probe the inputs for XPath weaknesses. |
| Manually probe the inputs using characters such as single quote (') that can cause XPath-releated errors, thus indicating an XPath weakness. |
Exploit
-
Exploit the target: Craft malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.
| Techniques |
|---|
| Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker. |
Execution Flow
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all user input entry points visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.
| Techniques |
|---|
| Use web browser to inject input through text fields or through HTTP GET parameters. |
| Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc. |
| Use XML files to inject input. |
| Use network-level packet injection tools such as netcat to inject input |
| Use modified client (modified by reverse engineering) to inject input. |
Exploit
-
Information Disclosure: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.
-
Manipulate the data in the XML database: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.
| Techniques |
|---|
| Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it. |
| Techniques |
|---|
| Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database. |
Execution Flow
Explore
-
Send requests to the server and analyze responses: Using a browser or an automated tool, an attacker sends requests to a website and then captures the responses. Responses are analyzed for information on frameworks, architecture, and dependencies.
| Techniques |
|---|
| Use a browser to manually request pages and view the responses. Manually parse responses to find information on dependencies and underlying architecture |
| Use automated scripting to send one or multiple requests to a server and capture any responses. Parse responses from the server to identify any tags that may provide information about dependencies and underlying architecture. |
Execution Flow
Explore
-
Spider: Using a browser or an automated tool, an attacker follows all public links on a web site. They record all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.)
| Techniques |
|---|
| Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers. |
| Look for HTML meta tags that could be injectable |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery. |
Experiment
-
[Probe identified potential entry points for XSS vulnerability]
| Techniques |
|---|
| Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. |
| Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
Exploit
-
Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.
-
Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).
-
Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker. |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately. |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site |
| Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities). |
| Techniques |
|---|
| Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page. |
Execution Flow
Explore
-
Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. |
Experiment
-
Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.
| Techniques |
|---|
| Use a spidering tool to follow and record attempts on well-known URLs. |
| Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs. |
Exploit
-
Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.
-
View unauthorized data: The attacker discovers and views unprotected sensitive data.
| Techniques |
|---|
| Access unprotected functions and execute them. |
| Techniques |
|---|
| Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.) |
Execution Flow
Explore
-
Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.
-
Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user
| Techniques |
|---|
| Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports. |
| TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system. |
| Induce errors to find informative error messages |
| Techniques |
|---|
| Spidering web sites for all available links |
| Inventory all application inputs |
Experiment
-
Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application
| Techniques |
|---|
| Inject command delimiters using network packet injection tools (netcat, nemesis, etc.) |
| Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.) |
Exploit
-
Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.
| Techniques |
|---|
| The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection). |
| The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection). |
| The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection). |
Execution Flow
Exploit
-
Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.
-
The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website
-
When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.
-
Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now \"farm\" sensitive information such as credentials or account numbers.
Execution Flow
Explore
-
Attacker identifies command utilities exposed by the target host.
Experiment
-
On the probing stage, the attacker interacts with the command utility and observes the results of its input. The attacker's goal is to uncover a buffer overflow in the command utility. For instance the attacker may find that input data are not properly validated.
Exploit
-
The attacker finds a buffer overflow vulnerability in the command utility and tries to exploit it. They craft malicious code and injects it using the command utility. The attacker can at worst execute remote code on the target host.
Execution Flow
Experiment
-
The attacker opens a connection to the target server and sends it a challenge
-
The server responds by returning the challenge encrypted with a shared secret as well as its own challenge to the attacker
-
Since the attacker does not possess the shared secret, they initiate a second connection to the server and sends it, as challenge, the challenge received from the server on the first connection
-
The server treats this as just another handshake and responds by encrypting the challenge and issuing its own to the attacker
-
The attacker now receives the encrypted challenge on the second connection and sends it as response to the server on the first connection, thereby successfully completing the handshake and authenticating to the server.
Execution Flow
Explore
-
The first step is exploratory meaning the attacker looks for an integer variable that they can control.
Experiment
-
The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.
Exploit
-
The integer variable is forced to have a value out of range which set its final value to an unexpected value.
-
The target host acts on the data and unexpected behavior may happen.
Execution Flow
Explore
-
Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.
| Techniques |
|---|
| Determine logging utility being used by application (e.g. log4j) |
| Gain access to application's source code to determine log file formats. |
| Install or obtain access to instance of application and observe its log file format. |
Exploit
-
Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
| Techniques |
|---|
| \n |
| \n |
Execution Flow
Experiment
-
The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
-
The attacker inserts themself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
Exploit
-
The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Execution Flow
Explore
-
The first step is exploratory meaning the attacker scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the attacker.
Experiment
-
The second step that an attacker would undertake is to analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The attacker could run through all of the operations with different message request patterns until a breach is identified.
Exploit
-
Once an attacker finds a potential weakness, they can craft malicious content to be sent to the system. For instance the attacker may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the attacker may not be XML validated and cause unexpected behavior.
Execution Flow
Explore
-
Determine what external libraries the application accesses.
Experiment
-
Block access to the external libraries accessed by the application.
-
Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.
-
If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.
Execution Flow
Explore
-
An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.
Exploit
-
An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.
Execution Flow
Explore
-
Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.
-
Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.
| Techniques |
|---|
| Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L) |
| Optionally obtain a legitimate SSL certificate for the new domain name. |
| Techniques |
|---|
| Use spidering software to get copy of web pages on legitimate site. |
| Manually save copies of required web pages from legitimate site. |
| Create new web pages that have the legitimate site's look and feel, but contain completely new content. |
Exploit
-
Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.
-
Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.
| Techniques |
|---|
| Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link. |
| Place phishing link in post to online forum. |
| Techniques |
|---|
| Log in to the legitimate site using another user's supplied credentials |