An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.
Description
Attack Execution Flow
3
1
Step 1
Explore[Probing] The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.
The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.
AI Translation
[Probing] L'avversario effettua sondaggi, attraverso brute-force, reverse engineering o altri metodi simili, sulla funzionalità del client che il server presume essere presente e affidabile.
L'avversario effettua sondaggi esplorando la funzionalità di un'applicazione e la sua mappatura sottostante ai componenti lato server.
L'avversario esegue reverse engineering del codice lato client per identificare la funzionalità su cui il server fa affidamento per un funzionamento corretto o sicuro.
Attack Techniques
-
The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
-
The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.IT: Le sonde dell'avversario consistono nell'esplorare la funzionalità di un'applicazione e la sua mappatura sottostante ai componenti lato server.
2
Step 2
Experiment[Determine which functionality to disable or remove] The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.
The adversary reverse engineers the client-side code to determine which functionality to disable or remove.
AI Translation
[Determinare quale funzionalità disabilitare o rimuovere] L'attore malevolo cerca di determinare quale funzionalità disabilitare o rimuovere attraverso il reverse-engineering dalla lista di funzionalità identificata nella fase di Esplorazione.
L'attore malevolo esegue il reverse engineering del codice lato client per determinare quale funzionalità disabilitare o rimuovere.
Attack Techniques
-
The adversary reverse engineers the client-side code to determine which functionality to disable or remove.
3
Step 3
Exploit[Disable or remove the critical functionality from the client code] Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.
The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
AI Translation
[Disabilitare o rimuovere la funzionalità critica dal codice client] Una volta determinata la funzionalità, l'avversario disabilita o rimuove la funzionalità critica dal codice client per eseguire azioni dannose che il server ritiene proibite.
L'avversario disabilita o rimuove la funzionalità dal codice lato client per eseguire azioni dannose, come l'invio di contenuti pericolosi (come script) al server.
Attack Techniques
-
The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
Mitigations
3
Design: For Any Security Checks That Are Performed On The Client Side, Ensure That These Checks Are Duplicated On The Server Side.
Design: Ship Client-Side Application With Integrity Checks (Code Signing) When Possible.
Design: Use Obfuscation And Other Techniques To Prevent Reverse Engineering The Client Code.
Consequences
Security Scopes Affected
Access Control
Accountability
Authentication
Authorization
Confidentiality
Integrity
Non-Repudiation
Potential Impacts
Bypass Protection Mechanism
Gain Privileges
Modify Data
Other
Read Data
Relationships
Resources Required
1
The adversary must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary.