CAPEC-39: Manipulating Opaque Client-based Data Tokens

Description
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
Extended Description

Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements.

Severity :

Medium

Possibility :

High

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-22: Exploiting Trust in Client Exploiting Trust in Client CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies Accessing/Intercepting/Modifying HTTP Cookies
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.
  • For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium If the client site token is obfuscated.
  • High If the client site token is encrypted.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-233: Improper Handling of Parameters

CWE-285: Improper Authorization

CWE-302: Authentication Bypass by Assumed-Immutable Data

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

CWE-353: Missing Support for Integrity Check

CWE-384: Session Fixation

CWE-472: External Control of Assumed-Immutable Web Parameter

CWE-539: Use of Persistent Cookies Containing Sensitive Information

CWE-565: Reliance on Cookies without Validation and Integrity Checking

Visit http://capec.mitre.org/ for more details.