CAPEC-155: Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.
Last updated
Overview
CAPEC-155 (Screen Temporary Files for Sensitive Information) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Look for temporary files in target application] An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.
- Step 2Experiment
[Attempt to read temporary files] An adversary will attempt to read any temporary files they may have discovered through normal means.
- Attempt to get the file by querying the file path to a web server
- Using a remote shell into an application, read temporary files and send out information remotely if necessary
- Recover temporary information from a user's browser cache
- Step 3Exploit
[Use function weaknesses to gain access to temporary files] If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.
- Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read.
- Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents.
What the attacker needs
Prerequisites
- The target application must utilize temporary files and must fail to adequately secure them against other parties reading them.
Resources required
- Because some application may have a large number of temporary files and/or these temporary files may be very large, an adversary may need tools that help them quickly search these files for sensitive information. If the adversary can simply copy the files to another location and if the speed of the search is not important, the adversary can still perform the attack without any special resources.
Frequently asked questions
Common questions about CAPEC-155.
- What is CAPEC-155?
- An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.
- How does a Screen Temporary Files for Sensitive Information attack work?
- It typically unfolds over 3 phases. It begins with: [Look for temporary files in target application] An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.
- What weaknesses does CAPEC-155 target?
- CAPEC-155 exploits 1 CWE weakness, including CWE-377 (Insecure Temporary File).
- How severe is CAPEC-155?
- MITRE rates CAPEC-155 as Medium severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-155
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.