| Name |
Excavation |
|
| Likelyhood of attack |
Typical severity |
| High |
Medium |
|
| Summary |
An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. |
| Prerequisites |
An adversary requires some way of interacting with the system. |
| Solutions | Minimize error/response output to only what is necessary for functional use or corrective language. Remove potentially sensitive information that is not necessary for the application's functionality. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-1243 |
Sensitive Non-Volatile Information Not Protected During Debug |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-163 |
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack. |
|