CAPEC Details
Name Sniff Application Code
Likelyhood of attack Typical severity
Low High
Summary An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Prerequisites The attacker must have the ability to place themself in the communication path between the client and server. The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts. The attacker must be able to employ a sniffer on the network without being detected.
Execution Flow
Step Phase Description Techniques
1 Explore Set up a sniffer The attacker sets up a sniffer in the path between the server and the client and watches the traffic.
  • The attacker sets up a sniffer in the path between the server and the client.
2 Exploit Capturing Application Code Bound During Patching Attacker knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The attacker loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The attacker then proceeds to reverse engineer the captured code.
  • Attacker loads the sniffer to capture the application code bound during a dynamic update.
  • The attacker proceeds to reverse engineer the captured code.
Solutions Design: Encrypt all communication between the client and server. Implementation: Use SSL, SSH, SCP. Operation: Use "ifconfig/ipconfig" or other tools to detect the sniffer installed in the network.
Related Weaknesses
CWE ID Description
CWE-311 Missing Encryption of Sensitive Data
CWE-318 Cleartext Storage of Sensitive Information in Executable
CWE-319 Cleartext Transmission of Sensitive Information
CWE-693 Protection Mechanism Failure
CWE-719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Related CAPECS
CAPEC ID Description
CAPEC-37 An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CAPEC-157 In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Man-In-The-Middle attacks (CAPEC-94), but are entirely passive. MITM attacks are predominantly active and often alter the content of the communications themselves.