Home > CAPEC List > CAPEC-162: Manipulating Hidden Fields (Version 2.10)  

CAPEC-162: Manipulating Hidden Fields

 
Manipulating Hidden Fields
Definition in a New Window Definition in a New Window
Attack Pattern ID: 162
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server to effect a change in the state of an ordinary transaction. eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the attacker to acquire items at a lower cost than the merchant intended. The attacker performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

+ Attack Prerequisites
  • The targeted merchant site must use a shopping cart that does not obfuscate the transaction data and does not validate pricing with back end processing.

+ Typical Severity

High

+ Resources Required

The attacker must be able to craft HTTP responses to the target's shopping site.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-12-07Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
Previous Entry Names
DatePrevious Entry Name
2015-12-07Manipulating hidden fields to change the normal flow of transactions (eShoplifting)
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017