CAPEC-207
Description
An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.
Prerequisites
The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.
Mitigations
Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.
Design: Ship client-side application with integrity checks (code signing) when possible.
Design: Use obfuscation and other techniques to prevent reverse engineering the client code.
Skills Required
[High] To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.
[Low] The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools.