Home > CAPEC List > CAPEC-74: Manipulating User State (Version 2.11)  

CAPEC-74: Manipulating User State

 
Manipulating User State
Definition in a New Window Definition in a New Window
Attack Pattern ID: 74
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

The adversary modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.

+ Attack Steps
Explore
  1. Adversary determines the nature of state management employed by the application. This includes determining the location (client-side, server-side or both) and possibly the items stored as part of user state.

Experiment
  1. The adversary now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) and observe the effects of this change on the application.

Exploit
  1. Having determined the information stored in the user state and the possible ways to modify it, the adversary can violate it in order to perform illegitimate actions.

+ Attack Prerequisites
  • User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Analysis
  • Modification of Resources
+ Examples-Instances

Description

During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.

An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.

+ Resources Required

The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).

+ Probing Techniques

Analysis: The adversary observes contents of client-side user state variables, stored in cookies or hidden fields or query strings, and modifies them in order to observe their effect on the application.

+ Solutions and Mitigations

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.

Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.

Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
Integrity
Modify application data
+ Injection Vector

User-controllable user state variables

+ Payload

Modified or injected user state variables

+ Activation Zone

State management mechanism of the application

+ Payload Activation Impact

Altered user state leading to information leak or elevated privilege

+ Relevant Security Requirements

Protect user state that is stored client-side with integrity checks to ensure that a malicious user cannot gain unauthorized access to parts of the application

Authenticate every request to ensure that it is coming from a legitimate user and that the request is a valid one in the current context.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
Client-Server
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Description Summary, Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Probing_Techniques, Resources_Required, Solutions_and_MitigationsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017