Standardlikelihood: Highseverity: Very HighDraft

CAPEC-62Cross Site Request Forgery

Abstraction
Standard
Status
Draft
Likelihood
High
Severity
Very High

Description

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.

Related weaknesses· 5

CWE-352CWE-306CWE-664CWE-732CWE-1275

Related attack patterns· 1

CAPEC-21 (ChildOf)

Exploits5

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-352100%live
WeaknessImproper Control of a Resource Through its Lifetimecwe-664100%live
WeaknessSensitive Cookie with Improper SameSite Attributecwe-1275100%live
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-732100%live
WeaknessMissing Authentication for Critical Functioncwe-306100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Cross-Site Scripting (XSS)
CAPEC
Cross Site Tracing
CAPEC
Server Side Request Forgery
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Through HTTP Headers
CAPEC
Reflected XSS
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.