An attacker exploits a weakness in the server's trust of client-side
processing by modifying data on the client-side, such as price information,
and then submitting this data to the server to effect a change in the state
of an ordinary transaction. eShoplifting is a data manipulation attack
against an on-line merchant during a purchasing transaction. The
manipulation of price, discount or quantity fields in the transaction
message allows the attacker to acquire items at a lower cost than the
merchant intended. The attacker performs a normal purchasing transaction but
edits hidden fields within the HTML form response that store price or other
information to give themselves a better deal. The merchant then uses the
modified pricing information in calculating the cost of the selected
items.
Attack Prerequisites
The targeted merchant site must us a shopping cart that does not obfuscate
the transaction data and does not validate pricing with back end
processing.
Resources Required
The attacker must be able to craft HTTP responses to the target's shopping
site.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
