complete a particular action. An attacker may be able to circumvent

or misuse these features to harm a web site and its users.

6.1  Abuse of Functionality

Abuse of Functionality is an attack technique that uses a web site s

own features and functionality to consume, defraud, or circumvents

access controls mechanisms. Some functionality of a web site,

possibly even security features, may be abused to cause unexpected

behavior.  When a piece of functionality is open to abuse, an attacker

could potentially annoy other users or perhaps defraud the system

entirely. The potential and level of abuse will vary from web site to

web site and application to application.

Abuse of Functionality techniques are often intertwined with other

categories of web application attacks, such as performing an

encoding attack to introduce a query string that turns a web search

function into a remote web proxy. Abuse of Functionality attacks are

also commonly used as a force multiplier. For example, an attacker

can inject a Cross site Scripting snippet into a web chat session and

then use the built in broadcast function to propagate the malicious

code throughout the site.

In a broad view, all effective attacks against computer based systems

entail Abuse of Functionality issues.  Specifically, this definition

describes an attack that has subverted a useful web application for a

malicious purpose with little or no modification to the original function.

Example

Examples of Abuse of Functionality include: a) Using a web site s

search function to access restricted files outside of a web directory, b)

Subverting a file upload subsystem to replace critical internal

configuration files, and c) Performing a DoS by flooding a web login

system with good usernames and bad passwords to lock out

55

Copyright 2004, Web Application Security Consortium. All rights reserved.