URI Hijacking - T1635.001 (789ef15a-34d9-4b32-a779-8cbbc9eb32f5)
Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.
Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Steal Application Access Token - T1635 (233fe2c0-cb41-4765-b454-e0087597fbce) | Attack Pattern | URI Hijacking - T1635.001 (789ef15a-34d9-4b32-a779-8cbbc9eb32f5) | Attack Pattern | 1 |