CAPEC Details
Name Manipulating State
Likelyhood of attack Typical severity
Medium High
Summary The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.
Prerequisites User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters. There is a faulty finite state machine in the hardware logic that can be exploited.
Execution Flow
Step Phase Description Techniques
1 Explore Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
2 Experiment The adversary now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
3 Exploit Having determined how to manipulate the state, the adversary can perform illegitimate actions.
Solutions Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state. Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations. Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request. All possible states must be handled by hardware finite state machines.
Related Weaknesses
CWE ID Description
CWE-315 Cleartext Storage of Sensitive Information in a Cookie
CWE-353 Missing Support for Integrity Check
CWE-371 State Issues
CWE-372 Incomplete Internal State Distinction
CWE-693 Protection Mechanism Failure
CWE-1245 Improper Finite State Machines (FSMs) in Hardware Logic
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
CWE-1271 Uninitialized Value on Reset for Registers Holding Security Settings