Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
The adversary modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.
During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.
An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.
Skill or Knowledge Level: Medium
The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.
The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).
Analysis: The adversary observes contents of client-side user state variables, stored in cookies or hidden fields or query strings, and modifies them in order to observe their effect on the application.
Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.
Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.
Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.
Protect user state that is stored client-side with integrity checks to ensure that a malicious user cannot gain unauthorized access to parts of the application
Authenticate every request to ensure that it is coming from a legitimate user and that the request is a valid one in the current context.
More information is available — Please select a different filter.