- What is CAPEC-36?
- An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
- How does a Using Unpublished Interfaces or Functionality attack work?
- It typically unfolds over 5 phases. It begins with: [Identify services] Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.
- How do you prevent CAPEC-36?
- Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.
- What weaknesses does CAPEC-36 target?
- CAPEC-36 exploits 4 CWE weaknesses, including CWE-306 (Missing Authentication for Critical Function), CWE-693 (Protection Mechanism Failure), CWE-695 (Use of Low-Level Functionality), CWE-1242 (Inclusion of Undocumented Features or Chicken Bits).
- How severe is CAPEC-36?
- MITRE rates CAPEC-36 as High severity with medium likelihood of attack.