Home > CAPEC List > CAPEC-162: Manipulating Hidden Fields (Version 2.11)  

CAPEC-162: Manipulating Hidden Fields

Manipulating Hidden Fields
Definition in a New Window Definition in a New Window
Attack Pattern ID: 162
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

+ Attack Prerequisites
  • The targeted site must contain hidden fields to be modified.

  • The targeted site must not validate the hidden fields with backend processing.

+ Typical Severity


+ Resources Required

The adversary must have the ability to modify hidden fields by editing the HTTP response to the server.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Prerequisites, Description Summary, Resources_RequiredInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07Manipulating hidden fields to change the normal flow of transactions (eShoplifting)

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017