Copyright © 2009 Open Geospatial Consortium, Inc. 63
9.6.1 GetCapabilities operation
Asset: Observation Offerings
Cause Man-In-The-Middle
Effect User client will receive fraudulent observation offerings. This can include fictitious
offerings or removed offerings or an empty list of offerings ObservationOfferingList.
Result User might not find the expected required offering even though it might exist.
Scope Application specific knowledge is required.
Example Likelihood
Medium Impact on Asset
None Impact on User
Affect on the use of the asset effective to the active client, as existing offerings might be fraudulent or removed, an indirect affect on use of assets exists.
Potential NA
Reason Sabotage
Denial of Service use if the ObservationOfferingList is empty Requirement
Integrity
Table 46: Modify GetCapabilities response
Cause Adversary’s client can execute SOS.
Effect Adversary’s client will send GetCapabilities messages to SOS and receive service
offerings. Result
Adversary can use the obtained information to execute other service operations. Scope
Very little application specific knowledge is required to create the request. But full application specific knowledge is required to understand the response and how to
use it in future attacks.
Example Likelihood
High Impact on Asset
None
64 Copyright © 2009 Open Geospatial Consortium, Inc.
Impact on User None
Potential The adversary obtains information about offerings served by the SOS that can be
used in future attacks. Reason
Espionage Possible intent to sabotage as the information from the capabilities document is the
baseline for other attacks. Requirement
None
Table 47: Create GetCapabilites request
Cause Eavesdropping and adversary’s client can execute SOS.
Effect Adversary’s client will send recorded GetCapabilities request to SOS
Result Adversary obtains information about the available offerings.
Scope No application specific knowledge required.
Example Likelihood
High Impact on Asset
None Impact on User
None Potential
NA Reason
Espionage Possible intent to sabotage as the information from the capabilities document is the
bases for everything else. Requirement
None
Table 48: Replay GetCapabilites request
Cause Eavesdropping
Effect Adversary’s client will record GetCapabilities requestresponse to SOS.
Result Adversary’s client receives SOS capabilities.
Scope No application specific knowledge required to exercise this attack.
Copyright © 2009 Open Geospatial Consortium, Inc. 65
Example Likelihood
High Impact on Asset
None Impact on User
None Potential
Important for exercising other attacks, requiring sensor metadata and information about observation offerings as input.
Reason Future Espionage, Sabotage, DoS
Requirement Allow execution of GetCapabilities for authenticated users only and protect
response with confidentiality to prevent unveiling of the metadata.
Table 49: Record GetCapabilites requestresponse
9.6.2 DescribeSensor operation