CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets
Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.
Last updated
Overview
CAPEC-140 (Bypassing of Intermediate Forms in Multiple-Form Sets) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.
Resources required
- None: No specialized resources are required to execute this type of attack.
Frequently asked questions
Common questions about CAPEC-140.
- What is CAPEC-140?
- Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.
- What weaknesses does CAPEC-140 target?
- CAPEC-140 exploits 1 CWE weakness, including CWE-372 (Incomplete Internal State Distinction).
- How severe is CAPEC-140?
- MITRE rates CAPEC-140 as Medium severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-140
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.