CAPEC-74: Manipulating State
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
步骤 2 Experiment
The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
步骤 3 Exploit
Having determined how to manipulate the state, the adversary can perform illegitimate actions.
前提条件
- User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.
- There is a faulty finite state machine in the hardware logic that can be exploited.
所需技能
所需资源
- The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Integrity
技术影响: Modify Data
影响范围: Availability
技术影响: Unreliable Execution
缓解措施
Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.
Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.
Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.
All possible states must be handled by hardware finite state machines.