Standardseverity: HighDraft

CAPEC-461Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

Abstraction
Standard
Status
Draft
Severity
High

Description

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

Related weaknesses· 2

CWE-328CWE-290

Related attack patterns· 1

CAPEC-115 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessUse of Weak Hashcwe-328100%live
WeaknessAuthentication Bypass by Spoofingcwe-290100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Signature Spoofing by Improper Validation
CAPEC
Web Services Protocol Manipulation
CAPEC
Signature Spoofing by Key Recreation
CAPEC
Signature Spoofing by Key Theft
CAPEC
Signature Spoofing by Mixing Signed and Unsigned Content
CAPEC
Signature Spoofing by Misrepresentation
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.