CWE-345
DiscouragedInsufficient Verification of Data Authenticity
Abstraction: Class · Status: Draft
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
940 vulnerabilities reference this CWE, most recent first.
GHSA-R9PQ-2W6R-9889
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:45com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled computer, enabling MITM attacks.
{
"affected": [],
"aliases": [
"CVE-2019-20057"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-29T19:15:00Z",
"severity": "MODERATE"
},
"details": "com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman for macOS 1.11.0 and earlier allows an attacker to change the System Proxy and redirect all traffic to an attacker-controlled computer, enabling MITM attacks.",
"id": "GHSA-r9pq-2w6r-9889",
"modified": "2024-04-04T02:45:50Z",
"published": "2022-05-24T17:05:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20057"
},
{
"type": "WEB",
"url": "https://github.com/ProxymanApp/Proxyman/issues/364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RC6V-5RMX-W5MV
Vulnerability from github – Published: 2026-05-15 18:13 – Updated: 2026-06-09 10:34Summary
Three medium-severity issues in arnika affecting the UDP key-rotation protocol, PQC key file handling, and KMS TLS client. All require specific preconditions to exploit and do not allow direct code execution or immediate key extraction. A self-contained PoC is attached.
Details
1) ACK timestamp not validated: udpserver.go:185
udpClient() verifies HMAC and packet type but never checks ackPkt.Timestamp. A MITM can capture one ACK, drop all subsequent DATA packets, and replay the stale ACK indefinitely. Primary advances PSK each rotation, backup stays on key 1, tunnel breaks. No PSK knowledge needed. The server side already has this check, the client does not.
Fix: mirror the timestamp check already present on the server side.
2) Empty PQC key file silently accepted: repositories/pqc.go:29
os.ReadFile follows symlinks. Empty file to base64.Decode("") = []byte{}, nil. HKDF runs on the QKD key alone while arnika logs [OK] HKDF derivation completed for QKD+PQC key. Requires write access to the directory containing PQC_PSK_FILE.
Fix: validate decoded key is non-empty before derivation; enforce parent directory permissions in SECURITY.md.
3) InsecureSkipVerify: true hardcoded: repositories/kms.go:61
KMS HTTP client unconditionally sets InsecureSkipVerify: true, overriding RootCAs. CA_CERTIFICATE is loaded but never consulted (dead code). Requires MITM between arnika and the KMS endpoint, which in typical deployments are co-located.
Fix: remove the flag; RootCAs already holds the correct pool when CA_CERTIFICATE is configured.
PoC
See arnika_exploit.tar.gz. PoC shows observable behavior for each attack; the third one (KMS MITM) needs no custom code, any HTTPS proxy with a self-signed cert is enough.
Impact
Issues require network MITM or local directory write access to exploit. No direct key extraction or code execution. Primary impact is tunnel desync and silent security downgrade in hybrid QKD+PQC mode.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/arnika-project/arnika"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-295",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-15T18:13:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThree medium-severity issues in arnika affecting the UDP key-rotation protocol, PQC key file handling, and KMS TLS client. All require specific preconditions to exploit and do not allow direct code execution or immediate key extraction. A self-contained PoC is attached.\n\n### Details\n1) ACK timestamp not validated: `udpserver.go:185`\n`udpClient()` verifies HMAC and packet type but never checks `ackPkt.Timestamp`. A MITM can capture one ACK, drop all subsequent DATA packets, and replay the stale ACK indefinitely. Primary advances PSK each rotation, backup stays on key 1, tunnel breaks. No PSK knowledge needed. The server side already has this check, the client does not.\n**Fix**: mirror the timestamp check already present on the server side.\n\n2) Empty PQC key file silently accepted: `repositories/pqc.go:29`\n`os.ReadFile` follows symlinks. Empty file to `base64.Decode(\"\") = []byte{}, nil`. HKDF runs on the QKD key alone while arnika logs `[OK] HKDF derivation completed for QKD+PQC key`. Requires write access to the directory containing `PQC_PSK_FILE`.\n**Fix**: validate decoded key is non-empty before derivation; enforce parent directory permissions in `SECURITY.md`.\n\n3) `InsecureSkipVerify: true` hardcoded: `repositories/kms.go:61`\nKMS HTTP client unconditionally sets `InsecureSkipVerify: true`, overriding `RootCAs`. `CA_CERTIFICATE` is loaded but never consulted (dead code). Requires MITM between arnika and the KMS endpoint, which in typical deployments are co-located.\n**Fix**: remove the flag; `RootCAs` already holds the correct pool when `CA_CERTIFICATE` is configured.\n\n### PoC\nSee [arnika_exploit.tar.gz](https://github.com/user-attachments/files/27585454/arnika_exploit.tar.gz). PoC shows observable behavior for each attack; the third one (KMS MITM) needs no custom code, any HTTPS proxy with a self-signed cert is enough.\n\n### Impact\nIssues require network MITM or local directory write access to exploit. No direct key extraction or code execution. Primary impact is tunnel desync and silent security downgrade in hybrid QKD+PQC mode.",
"id": "GHSA-rc6v-5rmx-w5mv",
"modified": "2026-06-09T10:34:05Z",
"published": "2026-05-15T18:13:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/arnika-project/arnika/security/advisories/GHSA-rc6v-5rmx-w5mv"
},
{
"type": "WEB",
"url": "https://github.com/arnika-project/arnika/commit/efbd980d8b636cb59f60f2d6ece1b80a9cf36535"
},
{
"type": "PACKAGE",
"url": "https://github.com/arnika-project/arnika"
},
{
"type": "WEB",
"url": "https://github.com/arnika-project/arnika/releases/tag/v1.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS"
}
GHSA-RC6X-59RR-4G8R
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-05-11 15:30A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
{
"affected": [],
"aliases": [
"CVE-2019-15613"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-04T20:15:00Z",
"severity": "MODERATE"
},
"details": "A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.",
"id": "GHSA-rc6x-59rr-4g8r",
"modified": "2023-05-11T15:30:20Z",
"published": "2022-05-24T17:07:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15613"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/697959"
},
{
"type": "WEB",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-002"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCCH-4525-RQ2F
Vulnerability from github – Published: 2024-09-23 15:31 – Updated: 2024-09-23 15:31Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device.
Was ZDI-CAN-22939
{
"affected": [],
"aliases": [
"CVE-2024-23922"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-23T15:15:13Z",
"severity": "MODERATE"
},
"details": "Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of software updates. The issue results from the lack of proper validation of software update packages. An attacker can leverage this vulnerability to execute code in the context of the device.\n\nWas ZDI-CAN-22939",
"id": "GHSA-rcch-4525-rq2f",
"modified": "2024-09-23T15:31:00Z",
"published": "2024-09-23T15:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23922"
},
{
"type": "WEB",
"url": "https://www.sony.com/electronics/support/mobile-cd-players-digital-media-players-xav-series/xav-ax5500/software/00274156"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-874"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RF7J-W28R-V7M8
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim.
{
"affected": [],
"aliases": [
"CVE-2020-26547"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-01T02:15:00Z",
"severity": "CRITICAL"
},
"details": "Monal before 4.9 does not implement proper sender verification on MAM and Message Carbon (XEP-0280) results. This allows a remote attacker (able to send stanzas to a victim) to inject arbitrary messages into the local history, with full control over the sender and receiver displayed to the victim.",
"id": "GHSA-rf7j-w28r-v7m8",
"modified": "2022-05-24T17:40:44Z",
"published": "2022-05-24T17:40:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26547"
},
{
"type": "WEB",
"url": "https://github.com/anurodhp/Monal/commits/develop"
},
{
"type": "WEB",
"url": "https://monal.im/blog/cve-2020-26547"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RGPQ-8HGG-5C2Q
Vulnerability from github – Published: 2022-05-17 03:57 – Updated: 2022-05-17 03:57McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.
{
"affected": [],
"aliases": [
"CVE-2016-3983"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-04-08T15:59:00Z",
"severity": "HIGH"
},
"details": "McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.",
"id": "GHSA-rgpq-8hgg-5c2q",
"modified": "2022-05-17T03:57:21Z",
"published": "2022-05-17T03:57:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3983"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RGV9-38W5-X798
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:52A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.
{
"affected": [],
"aliases": [
"CVE-2020-3220"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.",
"id": "GHSA-rgv9-38w5-x798",
"modified": "2024-04-04T02:52:29Z",
"published": "2022-05-24T17:19:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3220"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-vpn-dos-edOmW28Z"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RH2H-7W4M-MHHP
Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connection initiated thru BIG-IP APM browser network access VPN client for Windows, macOS and Linux.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-23415"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T18:15:32Z",
"severity": "LOW"
},
"details": "An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connection initiated thru BIG-IP APM browser network access VPN client for Windows, macOS and Linux.\n\n \n\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-rh2h-7w4m-mhhp",
"modified": "2025-02-05T18:34:46Z",
"published": "2025-02-05T18:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23415"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000139656"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHXF-5PW9-Q4GM
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19.
{
"affected": [],
"aliases": [
"CVE-2019-1000012"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-04T21:29:00Z",
"severity": "HIGH"
},
"details": "Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19.",
"id": "GHSA-rhxf-5pw9-q4gm",
"modified": "2022-05-13T01:07:56Z",
"published": "2022-05-13T01:07:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000012"
},
{
"type": "WEB",
"url": "https://github.com/hexpm/hex/pull/646"
},
{
"type": "WEB",
"url": "https://github.com/hexpm/hex/pull/651"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RMXF-C923-96H6
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-02-17 00:01Select Dell Client Commercial and Consumer platforms are vulnerable to an insufficient verification of data authenticity vulnerability. An authenticated malicious user may exploit this vulnerability in order to install modified BIOS firmware.
{
"affected": [],
"aliases": [
"CVE-2022-22567"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "Select Dell Client Commercial and Consumer platforms are vulnerable to an insufficient verification of data authenticity vulnerability. An authenticated malicious user may exploit this vulnerability in order to install modified BIOS firmware.",
"id": "GHSA-rmxf-c923-96h6",
"modified": "2022-02-17T00:01:26Z",
"published": "2022-02-10T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22567"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000195905/dsa-2022-028"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-148: Content Spoofing
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.
CAPEC-218: Spoofing of UDDI/ebXML Messages
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.