CAPEC-204: Lifting Sensitive Data Embedded in Cache
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
Last updated
Overview
CAPEC-204 (Lifting Sensitive Data Embedded in Cache) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify Application Cache] An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.
- Use probing tools to look for application cache files on a machine.
- Use a web application and determine if any sensitive information is stored in browser cache.
- Step 2Experiment
[Attempt to Access Cache] Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.
- Use priviledge escalation to access cache files that might have strict privileges.
- If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.
- Step 3Exploit
[Lift Sensitive Data from Cache] After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.
- Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.
What the attacker needs
Prerequisites
- The target application must store sensitive information in a cache.
- The cache must be inadequately protected against attacker access.
Resources required
- The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file.
Terminology & mappings
Mapped taxonomies
- ATTACK: Data from Local System (1005)
Frequently asked questions
Common questions about CAPEC-204.
- What is CAPEC-204?
- An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
- How does a Lifting Sensitive Data Embedded in Cache attack work?
- It typically unfolds over 3 phases. It begins with: [Identify Application Cache] An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.
- What weaknesses does CAPEC-204 target?
- CAPEC-204 exploits 4 CWE weaknesses, including CWE-311 (Missing Encryption of Sensitive Data), CWE-524 (Use of Cache Containing Sensitive Information), CWE-1239 (Improper Zeroization of Hardware Register), CWE-1258 (Exposure of Sensitive System Information Due to Uncleared Debug Information).
- How severe is CAPEC-204?
- MITRE rates CAPEC-204 as Medium severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-204
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.