CAPEC-207

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Removing Important Client Functionality

Description

An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.

Prerequisites

The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client.

Mitigations

Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.

Design: Ship client-side application with integrity checks (code signing) when possible.

Design: Use obfuscation and other techniques to prevent reverse engineering the client code.

Skills Required

[High] To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.

[Low] The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools.