Detailedseverity: MediumDraft

CAPEC-388Application API Button Hijacking

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.

Related weaknesses· 5

CWE-471CWE-345CWE-346CWE-602CWE-311

Related attack patterns· 1

CAPEC-386 (ChildOf)

Exploits5

TypeTargetConfidenceTier
WeaknessModification of Assumed-Immutable Data (MAID)cwe-471100%live
WeaknessMissing Encryption of Sensitive Datacwe-311100%live
WeaknessClient-Side Enforcement of Server-Side Securitycwe-602100%live
WeaknessInsufficient Verification of Data Authenticitycwe-345100%live
WeaknessOrigin Validation Errorcwe-346100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Application API Navigation Remapping
CAPEC
Content Spoofing Via Application API Manipulation
CAPEC
Application API Message Manipulation via Man-in-the-Middle
CAPEC
Transaction or Event Tampering via Application API Manipulation
CAPEC
Action Spoofing
CAPEC
Navigation Remapping To Propagate Malicious Content
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.