CAPEC-74: Manipulating State

The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

High

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

CAPEC-74: Manipulating State

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-74?

How does a Manipulating State attack work?

How do you prevent CAPEC-74?

What weaknesses does CAPEC-74 target?

How severe is CAPEC-74?

References

Defend against CAPEC-74