Standardlikelihood: Highseverity: HighDraft

CAPEC-1Accessing Functionality Not Properly Constrained by ACLs

Abstraction
Standard
Status
Draft
Likelihood
High
Severity
High

Description

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Related weaknesses· 16

CWE-276CWE-285CWE-434CWE-693CWE-732CWE-1191CWE-1193CWE-1220CWE-1297CWE-1311CWE-1314CWE-1315CWE-1318CWE-1320CWE-1321CWE-1327

MITRE ATT&CK crosswalk· 1

T1574.010: Hijack Execution Flow: ServicesFile Permissions Weakness

Related attack patterns· 2

CAPEC-122 (ChildOf)CAPEC-17 (CanPrecede)

Exploits16

TypeTargetConfidenceTier
WeaknessMissing Support for Security Features in On-chip Fabrics or Busescwe-1318100%live
WeaknessImproper Translation of Security Attributes by Fabric Bridgecwe-1311100%live
WeaknessBinding to an Unrestricted IP Addresscwe-1327100%live
WeaknessInsufficient Granularity of Access Controlcwe-1220100%live
WeaknessImproper Authorizationcwe-285100%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-434100%live
WeaknessPower-On of Untrusted Execution Core Before Enabling Fabric Access Controlcwe-1193100%live
WeaknessOn-Chip Debug and Test Interface With Improper Access Controlcwe-1191100%live
WeaknessProtection Mechanism Failurecwe-693100%live
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-732100%live
WeaknessImproper Setting of Bus Controlling Capability in Fabric End-pointcwe-1315100%live
WeaknessUnprotected Confidential Information on Device is Accessible by OSAT Vendorscwe-1297100%live
WeaknessIncorrect Default Permissionscwe-276100%live
WeaknessMissing Write Protection for Parametric Data Valuescwe-1314100%live
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-1321100%live
WeaknessImproper Protection for Outbound Error Messages and Alert Signalscwe-1320100%live

Related to1

TypeTargetConfidenceTier
SubTechniqueServices File Permissions Weaknesst1574.010100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Exploiting Incorrectly Configured Access Control Security Levels
CAPEC
Privilege Abuse
CAPEC
Functionality Misuse
CAPEC
Functionality Bypass
CAPEC
Using Unpublished Interfaces or Functionality
CAPEC
Authentication Abuse
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.