An attacker modifies state information maintained by the target software
in user-accessible locations. If successful, the target software will use
this tainted state information and execute in an unintended manner.
State management is an important function within an application. User
state maintained by the application can include usernames, payment
information, browsing history as well as application-specific contents such
as items in a shopping cart.
Manipulating user state can be employed by an attacker to elevate
privilege, conduct fraudulent transactions or otherwise modify the flow of
the application to derive certain benefits.
Attack Execution Flow
Attacker determines the nature of state management
employed by the application. This includes
determining the location (client-side, server-side
or both) and possibly the items stored as part of
user state
The attacker now tries to modify the user state
contents (possibly blindly if the contents are
encrypted or otherwise obfuscated) and observe the
effects of this change on the application.
Having determined the information stored in the
user state and the possible ways to modify it, the
attacker can violate it in order to perform
illegitimate actions.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Analysis
Modification of Resources
Examples-Instances
Description
Upon authenticating a user, an application stores the authentication
decision (auth=0/1) in a cookies unencrypted. At every request, this
cookie is checked to permit or deny a request.
An attacker can easily violate this representation of user state and
set auth=1 at every request in order to gain illegitimate access and
elevated privilege in the application.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
The attacker needs to have knowledge of state management as employed
by the target application, and also the ability to manipulate the state
in a meaningful way.
Resources Required
No special resources are required. An attacker can choose to use a data
tampering tool to aid in the attack.
Probing Techniques
Description
Analysis: The attacker observes contents of client-side user state
variables, stored in coookies or hidden fields or query strings, and
modifies them in order to observe their effect on the
application.
Solutions and Mitigations
Do not rely solely on user-controllable locations, such as cookies or URL
parameters, to maintain user state
Do not store sensitive information, such as usernames or authentication
and authorization information, in user-controllable locations.
At all times sensitive information that is part of the user state must be
appropriately protected to ensure confidentiality and integrity at each
request
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Integrity
Modify application
data
Injection Vector
User-controllable user state variables
Payload
Modified or injected user state variables
Activation Zone
State management mechanism of the application
Payload Activation Impact
Description
Altered user state leading to information leak or elevated
privilege
FlatNuke 2.5.6 verifies authentication credentials based on an MD5
checksum of the admin name and the hashed password rather than the
plaintext password, which allows attackers to gain privileges by
obtaining the password hash (possibly via CVE-2005-2813), then
calculating the credentials and including them in the secid
cookie.
Protect user state that is stored client-side with integrity checks to
ensure that a malicious user cannot gain unauthroized access to parts of the
application
Authenticate every request to ensure that it is coming from a legitimate
user and that the request is a valid one in the current context.
Related Security Principles
Reluctance To Trust
Never Assuming That Your Secrets Are Safe
Related Guidelines
Treat the Entire Inherited Process Context as Unvalidated Input
Use Well-Known Cryptography Appropriately and Correctly
Purposes
Exploitation
CIA Impact
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Medium
Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
All
Content History
Submissions
Submitter
Organization
Date
Comments
Chiradeep B Chhaya
Cigital, Inc
2007-03-08
Taken over from Eric Dalci
Modifications
Modifier
Organization
Date
Comments
Sean Barnum
Cigital, Inc
2007-03-08
Review and revise
Richard Struse
VOXEM, Inc
2007-03-26
Review and feedback leading to changes in Name and
Description
Sean Barnum
Cigital, Inc
2007-04-16
Modified pattern content according to review and
feedback
Description
