CAPEC-179: Calling Micro-Services Directly

An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere.

Medium

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.

CAPEC-179: Calling Micro-Services Directly

Overview

What the attacker needs

Prerequisites

Resources required

Frequently asked questions

What is CAPEC-179?

How severe is CAPEC-179?

References

Defend against CAPEC-179

Overview

What the attacker needs

Prerequisites

Resources required

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-179?

How severe is CAPEC-179?

References

Defend against CAPEC-179