Home > CAPEC List > CAPEC-172: Manipulate Timing and State (Version 2.11)  

CAPEC CATEGORY: Manipulate Timing and State

Manipulate Timing and State
Definition in a New Window Definition in a New Window
Category ID: 172
Status: Stable
+ Description


An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes. An example of a state attack might include manipulation of an application's information to change the apparent credentials or similar information, possibly allowing the application to access material it would not normally be allowed to access. A common example of a timing attack is a test-action race condition where some state information is tested and, if it passes, an action is performed. If the attacker can change the state between the time that the application performs the test and the time the action is performed, then they might be able to manipulate the outcome of the action to malicious ends.
+ Attack Prerequisites
  • Virtually all applications can be subject to time or state attacks in some form.

+ Resources Required

State attacks require the ability to manipulate the underlying state of an application. If that state is stored in a simple file, this can be relatively easy. If the state is stored internally, this can be more difficult. Timing attacks rely on being able to control when an application's thread is interrupted in order to insert the malicious action. Even then, if the actions in the sequence happen quickly, then success can largely be a matter of luck. As such, having many opportunities to attempt the attack is usually a requirement since and individual attack may have a low probability of success.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberMeta Attack PatternMeta Attack Pattern25Forced Deadlock
Mechanisms of Attack (primary)1000
HasMemberMeta Attack PatternMeta Attack Pattern26Leveraging Race Conditions
Mechanisms of Attack (primary)1000
HasMemberMeta Attack PatternMeta Attack Pattern74Manipulating User State
Mechanisms of Attack (primary)1000
MemberOfViewView1000Mechanisms of Attack
Mechanisms of Attack1000
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated RelationshipsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017