June 27, 2023

3 ways to use Common Attack Patterns to abuse an API

Introduction

What if I told you that there’s a way for you to explore new methods to find software vulnerabilities in your APIs by leveraging techniques that adversaries already use?

Even better, what if I show you a comprehensive dictionary of attack patterns, including known attacks and a classification taxonomy that you can leverage in your own work, all documented for your convenience?

In this article, I’m going to show you three ways to use Common Attack Patterns to improve your offensive tradecraft and approach your API security testing with an attacker’s mindset. It builds on the article I already wrote on building your own API Security Testing checklist using Common Attack Patterns.

Let’s get right to it!

The Common Attack Patterns Triad

Attack patterns are based on software design patterns, which are common paradigms for solving common software design issues. In this context, attack patterns are design patterns for attackers.

A Common Attack Pattern is typically a method of leveraging known weaknesses to execute an attack. In appsec parlance, that means that an attack pattern leverages a vulnerability (aka a CVE) to exploit a weakness (more commonly called common weakness enumeration or CWE).

This image from MITRE might put that into focus for you:

CAPEC attack patterns contain an “execution flow”. This is a set of step-by-step instructions for an adversary to explore for potential targets, experiment with their assets and defensive mechanisms (if any), and then carry out the exploit.

It’s these instructions that can help you improve your offensive tradecraft when testing APIs. It gives you prescriptive guidance on exactly what to do, when, and where.

Let’s explore CAPEC in more detail.

What is CAPEC?

MITRE developed the industry-standard project, Common Attack Patterns Enumeration and Classification (CAPEC), to identify, catalog, and classify common attack patterns. The project aims to help users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

The US Department of Homeland Security initially released it in 2007 to improve software assurance through security awareness as part of its strategic initiative of the Office of Cybersecurity and Communications (CS&C), now part of CISA. It helps developers, testers, security analysts, and the community to better understand the details and use cases attackers follow to exploit software applications.

At the time of this writing in 2023, version 3.9 of CAPEC includes 559 attack patterns across 9 categories, more commonly known as Mechanisms of Attack.

Let’s quickly go over each of these mechanisms to get a better understanding of how they work.

Engage in Deceptive Interaction

The attacker attempts to mislead or manipulate the user of an application into performing a malicious action. By using misleading language, values, requests, emails, or other methods that appear legitimate but deceive users, attackers lead them down a malicious path.

Abuse Existing Functionality

The attacker leverages the existing functionality of a system to perform malicious activities. Attackers can take advantage of security flaws, authentication shortcomings, or incorrectly configured settings to achieve a malicious objective not originally intended by the application or deplete a resource to the point that it affects the target’s functionality.

Manipulate Data Structures

The attacker is able to manipulate and exploit characteristics of system data structures in order to violate their intended usage to gain privileged access or manipulate the application’s functionality. This can be done by bypassing authentication checks, exploiting buffer overflows, and other methods of manipulating data stored in a system.

Manipulate System Resources

The attacker is able to manipulate system resources in order to gain privileged access or manipulate the application’s functionality. This can be done by exploiting kernel vulnerabilities, exploiting inherent flaws in system configurations, and other methods of manipulating the underlying architecture of a system.

Inject Unexpected Items

The attacker is able to inject unexpected items into a system in order to control or disrupt the behavior of the target. This can be done by leveraging SQL injection, OS command injection, malicious input validation, and other methods of injecting unexpected items into a system such as the installation and execution of malicious code on the target system.

Employ Probabilistic Techniques

An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold. This can be done by leveraging guessing attacks, exploiting probability through timing differences, and other methods of exploiting a system’s probabilistic behavior.

Manipulate Timing and State

An attacker targets weaknesses in timing or state-maintaining functions to perform actions that the target code and processes’ execution flow would otherwise prevent. They can exploit race conditions, leverage timeouts, and use other methods to manipulate a system’s timing and state behavior.

Collect and Analyze Information

The attacker is able to collect and analyze information in order to gain privileged access or manipulate the application’s functionality. This can be done by collecting system statistics, leveraging reconnaissance activities, and other methods of gathering information from a system.

Subvert Access Control

The attacker is able to subvert access control in order to gain privileged access or manipulate the application’s functionality. This can be done by leveraging spoofing attacks, exploiting backdoors, and other methods of bypassing security mechanisms within a system.

How to use CAPEC

To start to use CAPEC, you want to open the CAPEC Viewer to explore the Mechanisms of Attack. It provides a hierarchal graph showing tree-like relationships between 4 levels of abstraction:

Category – A collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent. An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior.
Meta – a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high-level approach. This is useful in threat models.
Standard – focuses on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack.
Detail – provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow.

Some Practical Examples of using CAPEC

Time for a few practical examples.

Let’s say you wanted to explore how HTTP Parameter Pollution (HPP) works as an attack pattern. Here is how you would use the CAPEC Viewer to discover it:

Expand the Category of Inject Unexpected Items
Expand the Meta level of Parameter Injection
Expand the Standard level of Command Delimiters
Click on the Details for HTTP Parameter Pollution

Let’s do another one.

Let’s say you want to tamper with HTTP session cookies. Using the CAPEC Viewer to discover the attack pattern would look like this:

Expand the Category of Subvert Access Control
Expand the Meta level of Exploiting Trust in Client
Expand the Standard level of Manipulating Opaque Client-based Data Tokens
Click on the Details for Accessing/Intercepting/Modifying HTTP Cookies

Notice how quickly we can get to the detailed view of an attack pattern. It’s within these details that you can start to figure out how to abuse the API in scope of your testing.

Let me show you three ways to leverage CAPEC attack patterns to help in your API security testing.

#1 – Explore Execution Flow of an Attack Pattern

A Common Attack Pattern will usually have three phases in its execution flow:

Explore: This phase describes various ways to find a potential target to attack.
Experiment: After finding a target, the experiment phase techniques suggest various ways to determine if this target contains the weakness the CAPEC entry aims to exploit.
Exploit: Suggested techniques for conducting the actual attack.

Let’s look at an example for CAPEC-460: HTTP Parameter Pollution (HPP).

When looking at the Detailed abstraction for an attack pattern, it will usually give you the guidance needed to perform the attack under the Execution Flow section of the entry.

Notice how the attack pattern clearly articulates the relevant procedures needed to find, test, and exploit a vulnerability using HPP. It’s a recipe for exploitation success. The information includes the resources needed to complete the attack and defines the severity if you achieve success.

#2 – Follow Related Common Weakness Enumeration IDs

One of the additional values of common attack pattern enumeration is the references to known weaknesses that it links to. Through the linked Common Weakness Enumeration (CWE) IDs, it allows you to enrich your reports with details that developers can use to improve their code and enhance defenses.

Let’s explore this a bit through CAPEC-460 again. Here are its related weaknesses:

Now let’s cross reference that with the listed CWE-235:

Notice how the CWE describes the weaknesses. Showcases the taxonomy mapping. And shows any observed examples in the wild by pointing to relevant CVEs. This is helpful to developers, testers, security analysts, and adversaries alike.

#3 – Review References

Last but certainly not least, is to expand your knowledge about attack patterns through the related references in CAPEC entries. It is common to have links to great books, videos, presentation decks, and papers that allow you to gain new insights into attacks you may not have previously understood or even known about. Let’s look at that HPP CAPEC attack pattern:

That presentation by Luca and Stefano at the OWASP conference in Poland was an eye-opener to the industry about HPP. OWASP added their research outcomes to the Web Security Testing Guide (WSTG), which the CAPEC entry also references.

See how it all comes together?

Conclusion

By leveraging the Common Attack Pattern Enumeration (CAPEC), you can gain insight into various attack patterns and their related vulnerabilities and use that information to craft better API security tests. Additionally, CAPEC provides links to references that can further extend your knowledge about attack patterns and techniques.

What could be better? Knowledge is power. Now you have a better understanding of how to use Common Attack Patterns to abuse an API. Get to it!

Happy hacking!

Want more?

If you found this helpful make sure you subscribe to the API Hacker Inner Circle newsletter. Join builders and breakers who are upskilling their API hacking tradecraft through weekly articles, pro tips, and industry news.

Dana Epp

Hey, I’m Dana, aka SilverStr. I build and break software for a living, and am a Microsoft Regional Director and Developer Security MVP. I’ve spent decades as a security architect that focuses on helping secure software, data, and infrastructure on both blue and red teams. As of late, I have been focusing more on my offensive tradecraft to help developers and IT administrators see the impact of exploitation on vulnerabilities in their work. This blog is my chance to give back to the community by sharing my experiences and war wounds from the trenches.