CAPEC-58

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
Restful Privilege Elevation

Description

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.

Prerequisites

The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete.

Mitigations

Design: Enforce principle of least privilege

Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side

Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose

Skills Required

[Low] It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface