CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
Last updated
Overview
CAPEC-12 (Choosing Message Identifier) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine Nature of Messages] Determine the nature of messages being transported as well as the identifiers to be used as part of the attack
- Step 2Experiment
[Authenticate] If required, authenticate to the distribution channel
- Step 3Experiment
[Identify Known Client Identifiers] If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel.
- Step 4Experiment
[Change Message Identifier] Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.
What the attacker needs
Prerequisites
- Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.
- Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves.
Skills required
- Low skill: All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages.
Resources required
- The adversary needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means.
Consequences
What a successful CAPEC-12 attack can achieve.
Read Data
Affects: Confidentiality
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-12.
- Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages. The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.
- Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.
Examples
A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single "Partners" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Adversaries having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows adversaries without partner status from conducting this attack.
Frequently asked questions
Common questions about CAPEC-12.
- What is CAPEC-12?
- This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
- How does a Choosing Message Identifier attack work?
- It typically unfolds over 4 phases. It begins with: [Determine Nature of Messages] Determine the nature of messages being transported as well as the identifiers to be used as part of the attack
- How do you prevent CAPEC-12?
- Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages. The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.
- What weaknesses does CAPEC-12 target?
- CAPEC-12 exploits 2 CWE weaknesses, including CWE-201 (Insertion of Sensitive Information Into Sent Data), CWE-306 (Missing Authentication for Critical Function).
- How severe is CAPEC-12?
- MITRE rates CAPEC-12 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-12
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.