Home > CAPEC List > CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets (Version 2.10)  

CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets

 
Bypassing of Intermediate Forms in Multiple-Form Sets
Definition in a New Window Definition in a New Window
Attack Pattern ID: 140
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

+ Attack Prerequisites
  • The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.

+ Typical Severity

Medium

+ Resources Required

No special resources are required for this attack.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017