CAPEC-65 Sniff Application Code

CAPEC ID: 65

CAPEC-65 Metadata

Likelihood of Attack

Low

Typical Severity

High

Overview

Summary

An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

Prerequisites

The attacker must have the ability to place themself in the communication path between the client and server. The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts. The attacker must be able to employ a sniffer on the network without being detected.

Execution Flow

Step Phase Description Techniques
1 Explore [Set up a sniffer] The adversary sets up a sniffer in the path between the server and the client and watches the traffic.
  • The adversary sets up a sniffer in the path between the server and the client.
2 Exploit [Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.
  • adversary loads the sniffer to capture the application code bound during a dynamic update.
  • The adversary proceeds to reverse engineer the captured code.

Potential Solutions / Mitigations

Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.

Related Weaknesses (CWE)

CWE ID Description
CWE-311 Missing Encryption of Sensitive Data
CWE-318 Cleartext Storage of Sensitive Information in Executable
CWE-319 Cleartext Transmission of Sensitive Information
CWE-693 Protection Mechanism Failure

Related CAPECs

CAPEC ID Description
CAPEC-37 An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CAPEC-157 In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1040 Network Sniffing

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.