Detailedlikelihood: Highseverity: LowDraft

CAPEC-215Fuzzing for application mapping

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
Low

Description

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

Related weaknesses· 2

CWE-209CWE-532

Related attack patterns· 2

CAPEC-54 (ChildOf)CAPEC-28 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessGeneration of Error Message Containing Sensitive Informationcwe-209100%live
WeaknessInsertion of Sensitive Information into Log Filecwe-532100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Fuzzing
CAPEC
DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
CAPEC
Fuzzing for garnering other adjacent user/sensitive data
CAPEC
Web Application Fingerprinting
CAPEC
Application Fingerprinting
CAPEC
Buffer Manipulation
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.