CAPEC-383: Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
Last updated
Overview
CAPEC-383 (Harvesting Information via API Event Monitoring) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target software is utilizing application framework APIs
Consequences
What a successful CAPEC-383 attack can achieve.
Read Data
Affects: Confidentiality
The adversary is able to gather information to potentially support further nefarious activities.
How to mitigate it
Defenses that reduce the risk of CAPEC-383.
- Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.
Terminology & mappings
Mapped taxonomies
- ATTACK: Input Capture: Credential API Hooking (1056.004)
Frequently asked questions
Common questions about CAPEC-383.
- What is CAPEC-383?
- An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
- How do you prevent CAPEC-383?
- Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.
- What weaknesses does CAPEC-383 target?
- CAPEC-383 exploits 4 CWE weaknesses, including CWE-311 (Missing Encryption of Sensitive Data), CWE-319 (Cleartext Transmission of Sensitive Information), CWE-419 (Unprotected Primary Channel), CWE-602 (Client-Side Enforcement of Server-Side Security).
- How severe is CAPEC-383?
- MITRE rates CAPEC-383 as Low severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-383
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.