CAPEC-74: Manipulating State

Overview

CAPEC-74 (Manipulating State) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
Step 2
Experiment
The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
Step 3
Exploit
Having determined how to manipulate the state, the adversary can perform illegitimate actions.

What the attacker needs

Prerequisites

User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.
There is a faulty finite state machine in the hardware logic that can be exploited.

Skills required

Medium skill: The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.

Resources required

The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).

Consequences

What a successful CAPEC-74 attack can achieve.

Gain Privileges

Affects: Confidentiality, Access Control, Authorization

Modify Data

Affects: Integrity

Unreliable Execution

Affects: Availability

How to mitigate it

Defenses that reduce the risk of CAPEC-74.

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.
Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.
Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.
All possible states must be handled by hardware finite state machines.

Examples

During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request. An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.

Frequently asked questions

Common questions about CAPEC-74.

What is CAPEC-74?

The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

How does a Manipulating State attack work?

It typically unfolds over 3 phases. It begins with: Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.

How do you prevent CAPEC-74?

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.

What weaknesses does CAPEC-74 target?

CAPEC-74 exploits 8 CWE weaknesses, including CWE-315 (Cleartext Storage of Sensitive Information in a Cookie), CWE-353 (Missing Support for Integrity Check), CWE-372 (Incomplete Internal State Distinction), CWE-693 (Protection Mechanism Failure).

How severe is CAPEC-74?

MITRE rates CAPEC-74 as High severity with medium likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-74

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

CAPEC-74: Manipulating State

Overview

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.
Step 2
Experiment
The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.
Step 3
Exploit
Having determined how to manipulate the state, the adversary can perform illegitimate actions.

What the attacker needs

Prerequisites

User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.
There is a faulty finite state machine in the hardware logic that can be exploited.

Skills required

Medium skill: The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.

Resources required

The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox).

Consequences

What a successful CAPEC-74 attack can achieve.

Gain Privileges

Affects: Confidentiality, Access Control, Authorization

Modify Data

Affects: Integrity

Unreliable Execution

Affects: Availability

How to mitigate it

Defenses that reduce the risk of CAPEC-74.

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.
Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.
Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.
All possible states must be handled by hardware finite state machines.

Examples

Frequently asked questions

Common questions about CAPEC-74.

What is CAPEC-74?

How does a Manipulating State attack work?

How do you prevent CAPEC-74?

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.

What weaknesses does CAPEC-74 target?

How severe is CAPEC-74?

MITRE rates CAPEC-74 as High severity with medium likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-74

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Child

Frequently asked questions

What is CAPEC-74?

How does a Manipulating State attack work?

How do you prevent CAPEC-74?

What weaknesses does CAPEC-74 target?

How severe is CAPEC-74?

References

Defend against CAPEC-74

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Child

Frequently asked questions

What is CAPEC-74?

How does a Manipulating State attack work?

How do you prevent CAPEC-74?

What weaknesses does CAPEC-74 target?

How severe is CAPEC-74?

References

Defend against CAPEC-74