An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

How does a Query System for Information attack work?

It typically unfolds over 4 phases. It begins with: [Determine parameters] Determine all user-controllable parameters of the application either by probing or by finding documentation

How do you prevent CAPEC-54?

Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.

What weaknesses does CAPEC-54 target?

CAPEC-54 exploits 1 CWE weakness, including CWE-209 (Generation of Error Message Containing Sensitive Information).

How severe is CAPEC-54?

MITRE rates CAPEC-54 as Low severity with high likelihood of attack.

CAPEC-54: Query System for Information

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Determine parameters] Determine all user-controllable parameters of the application either by probing or by finding documentation
Step 2
Experiment
[Cause error condition] Inject each parameter with content that causes an error condition to manifest
Step 3
Experiment
[Modify parameters] Modify the content of each parameter according to observed error conditions
Step 4
Exploit
[Follow up attack] Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)

How the attack works

CAPEC-54: Query System for Information

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Frequently asked questions

What is CAPEC-54?

How does a Query System for Information attack work?

How do you prevent CAPEC-54?

What weaknesses does CAPEC-54 target?

How severe is CAPEC-54?

References

Defend against CAPEC-54

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

How to detect it

Examples

Related weaknesses

Related attack patterns

Parent

Child

Frequently asked questions

What is CAPEC-54?

How does a Query System for Information attack work?

How do you prevent CAPEC-54?

What weaknesses does CAPEC-54 target?

How severe is CAPEC-54?

References

Defend against CAPEC-54