CAPEC-74: Manipulating State

Description
<p>The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.<p><p>State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.<p><p>If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.<p>
Extended Description

A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).

For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.

It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).

Severity :

High

Possibility :

Medium

Type :

Meta
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets Bypassing of Intermediate Forms in Multiple-Form Sets CAPEC-663: Exploitation of Transient Instruction Execution Exploitation of Transient Instruction Execution
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.
  • There is a faulty finite state machine in the hardware logic that can be exploited.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

CWE-353: Missing Support for Integrity Check

CWE-372: Incomplete Internal State Distinction

CWE-693: Protection Mechanism Failure

CWE-1245: Improper Finite State Machines (FSMs) in Hardware Logic

CWE-1253: Incorrect Selection of Fuse Values

CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

CWE-1271: Uninitialized Value on Reset for Registers Holding Security Settings

Visit http://capec.mitre.org/ for more details.