Threats Covered

Abuse of Functionality

Generally speaking, all attacks against computer-based systems entail Abuse of Functionality issues. Abuse of Functionality can be described as the abuse of an application's designed functionality and/or features to perform undesirable tasks for unauthorized users.

This attack uses a web site’s own features and functionality to attack it or other sites as well as to attempt to avoid control mechanisms or steal information.

Some functionality of a web site, possibly even security features, may be used by attackers to cause undesired results. When a section of functionality is open to unauthorized use or abuse, an attacker can impede other users and even corrupt the entire system.

Abuse of Functionality techniques are often coupled together with other categories of web application attacks, such as performing an encoding attack to insert a query string that changes a web search function into a remote web proxy.

These attacks are also commonly used as a force multiplier. For example, an attacker can inject a Cross-site Scripting snippet into a web-chat session and then use the built-in broadcast function to propagate the malicious code throughout the site.

Data Structure Attacks

An attacker manipulates and misuses attributes of data structures within a system with the intent to abuse the intended purposes and safeguards. This allows the attacker either unauthorized access to the related system data or violation of the security properties of a system through vulnerabilities in how a system processes and manages the data structures.

Unfortunately most of the time vulnerabilities and the ability of exploiting them within data structures are already inside these structures because of vagueness and assumptions made during their design and in their management.

Dumpster Diving

This is the practice of sifting through garbage of homes or offices to locate information thrown away, but which will be useful to an attacker. The disastrous nature of the information discovered can include; client lists, account information, bank records, employee files, proprietary designs or photos and email passwords or procedures as well as information about software, tech support logs and so much more. Of course all of this stolen information will be used to facilitate an attack.

Embedded Malicious Code

This attack generally refers to a program that performs a needed function; however it takes advantages of rights of the program's user in a way in which that user never desired. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. They might inject code which is designed to send credit card information back to them in the future. Attackers have even created methods to cause Microsoft Office to execute malicious code embedded within a document which appears quite harmless.

These attacks have been called by many names, including Trojan horse, trapdoor, time-bomb, and logic-bomb.

Exploitation of Authentication

Here an attacker specifically looks toward exploitation of weaknesses, limitations and assumptions in the mechanisms utilized by a system to manage authentication and identity. This can create the complete subversion of the reliance an exploited system has in the identity of any entity with which it communicates.

Weaknesses targeted by these types of attacks are usually because of assumptions and overconfidence in the strength of the currently deployed authentication systems.

Exposing critical functionality basically gives the attacker the privilege level of that functionality. The results of this type of attack will depend on the functionality being exploited. Certainly attackers will be able to perform horrendous damage such as: send, read or even modify data, access administrative functions, or even to deploy arbitrary code within a system.


The purpose of the Command Injection attack is to insert and then execute commands desired by the attacker inside of the breached application. This application, which executes unwanted system commands, becomes a simulated system shell, and the attacker will use it as any authorized system user. Their commands are executed with the same privileges as those of the breached application.

Command injection attacks are usually allowed to occur because of the insufficiency of correct input data validation, which will be abused by the attacker through their use of things such as: cookies, forms, HTTP headers, etc.

An operating system command injection attack will occur when an attacker executes system level commands through any vulnerable application. Applications are considered vulnerable to this type of attack when they utilize user input in a system level command.

There exists a variation called Code Injection attack when the attacker inserts their unauthorized code into the existing code. Of course, this inserted code is executed with the same privileges and environment as if the application was not corrupted. Thus, the attacker extends the default functionality of the application without the necessity of executing system commands.

Information Diving

This is the illegal practice of recovering technical, confidential or secret data, from material which has been thrown away or even recycled. Usually this is from data storage components in computers, often recovery of data remaining on hard drives. Those in charge of replacing or recycling outdated computers usually do not take the time to erase all of these hard drives.

This lack of thoroughness allows an information diver to steal sensitive and valuable data, such as credit card information which was stored on the machine as well as installed software; word processors, operating and other systems.

Path Traversal Attack

Path Traversal attacks attempt to access files and directories that are stored outside the web root folder. Attackers search, while browsing an application, for absolute links to files stored on the web server. By operating variables which reference files including “dot-dot-slash (../)” sequences and variations, it becomes possible to access arbitrary directories and files stored on a file system. These can include application source code, configuration and essential system files, limited by system operational access control. The attacker manipulates certain “../” sequences in order to climb up to the root directory; allowing unlimited navigation through the file system.

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Probabilistic Techniques

These are analytical techniques used by attackers to explore and overcome security properties of a system. They are searching for security properties based upon an assumption of strength; due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties are not working as designed.


This is a security attack that relies on social engineering techniques used to deceive or to trick victims into divulging valuable information. Attackers use phishing to acquire private or valuable information such as: usernames, passwords or credit information.

Phishing is often carried out by e-mail spoofing or instant messaging. It can direct victims to enter details at a fake website whose look and feel are almost identical to the legitimate one. These sites can often be infected with malware.


These are attacks aimed at gaining access to a restricted system through the use of an established session of an authorized user. Once the terminal or workstation has been logged into by an authorized user, it can be compromised by an attacker on a covert workstation that is connected to the same line.

Another form of piggybacking takes place when a user fails to properly terminate a session or attends to other business while still logged on or when a logoff is unsuccessful. These mistakes make it very easy for an attacker to take advantage of a user’s active session to enter an otherwise secure system.

Protocol Manipulation

An attacker will look for and take advantage of any weaknesses in the protocols by which a client and server are communicating. When they discover vulnerability in a protocol used by the client and server, an attacker will take advantage of this to initiate their attacks. If an attacker is able to manipulate an authentication protocol, then they will have the ability to spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, they will be able to access sensitive information or modify message contents.

These attacks are made easier because many clients and servers support multiple protocols to perform similar roles. Some of the older protocols which have not been updated can contain vulnerabilities that allow an attacker to enter or misuse the system.

Resource Depletion

An attacker depletes a resource so that its functionality is affected and any resource can be targeted. The result is usually the degrading or denial of services offered.

Resources required for this attack will depend on many factors including the character of the resource to be depleted and the volume of the resource which the victim has access to defend itself. Other issues are the abilities of the system being attacked: to shift load, to detect and mitigate resource depletion attacks, or to obtain additional resources to deal with the depletion during their occurrence.

Resource Manipulation

An attacker manipulates resources, or some attribute of them, in order to carry out an attack. This is a broad class of attacks through which the attacker gains the ability to change some aspect of a resource's characteristic and thus manipulate application behavior or information integrity.

Examples of resources include files, libraries, applications, infrastructure, and configuration information. Unwanted results of these types of attacks: vandalism, reduction in service or even the execution of unauthorized code.

Sniffing Attacks

These occur when an attacker monitors information being exchanged between logical or physical nodes within a network. The attacker does not need to be able to prevent reception or change content, only to be able to observe and read the traffic. Any transmission medium can theoretically be sniffed if the attacker can monitor the exchanges being sent.

SMS Phishing or SMiShing

This is a variant of phishing email scams that instead utilizes Short Message Service (SMS) systems to send bogus text messages.

Smishing scams attempt to direct the text message recipient to use a link to a website or call a phone number. Once they have clicked or called the attacker tries to entice the victim to provide sensitive data, passwords or even credit information as well as to potentially infect their device or computer with malware.

Social Engineering

This is the act of attackers to obtain otherwise inaccessible data by fooling people into revealing secure information to them. Social engineering is successful because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into revealing information that they do not think will be useful in attacking a company or its computer network. Often the social engineer can use pieces of information from one source in conjunction with other information that has been gathered to discover a vulnerability which they can exploit.


A technique attackers use to gain unauthorized access to computers. They send messages to a victim’s computer with an IP address which indicates that the message is coming from a trusted host. Once accepted the hacker has circumvented some security measures and is inside the victim’s computer or system.

To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.


Tailgating involves connecting a user to a computer in the same session as an authorized user and under their proper identification, when their session has been interrupted. This can occur when administrators set the communications controller to send “data-terminal-ready” signals constantly, so the modem will immediately pick up a new session after a disconnection. This allows a new session to tailgate on the old session, potentially allowing unauthorized users to access systems.


This is the criminal practice of using social engineering over the telephone, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal or company information. The term is a combination of "voice" and phishing.