Dark Mode
Capec-74 Detail
Manipulating State
Meta Software Hardware Likelihood: Medium Typical Severity: High
Children: 140 663
Threats: T295
The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-74 | capec | https://capec.mitre.org/data/definitions/74.html | |
| CWE-372 | cwe | http://cwe.mitre.org/data/definitions/372.html | |
| CWE-315 | cwe | http://cwe.mitre.org/data/definitions/315.html | |
| CWE-353 | cwe | http://cwe.mitre.org/data/definitions/353.html | |
| CWE-693 | cwe | http://cwe.mitre.org/data/definitions/693.html | |
| CWE-1245 | cwe | http://cwe.mitre.org/data/definitions/1245.html | |
| CWE-1253 | cwe | http://cwe.mitre.org/data/definitions/1253.html | |
| CWE-1265 | cwe | http://cwe.mitre.org/data/definitions/1265.html | |
| CWE-1271 | cwe | http://cwe.mitre.org/data/definitions/1271.html |
Explore
-
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
Experiment
-
The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
Exploit
-
Having determined how to manipulate the state, the adversary can perform illegitimate actions.
- User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.
- There is a faulty finite state machine in the hardware logic that can be exploited.
- The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in- browser plugin (e.g., Tamper Data for Firefox).
| Medium |
|---|
| The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Modify Data | Unreliable Execution | Gain Privileges | Gain Privileges | Gain Privileges |
- During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request. An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.