Detailedseverity: HighDraft

CAPEC-162Manipulating Hidden Fields

Abstraction
Detailed
Status
Draft
Severity
High

Description

An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

Related weaknesses· 1

CWE-602

Related attack patterns· 1

CAPEC-77 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessClient-Side Enforcement of Server-Side Securitycwe-602100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Manipulating Opaque Client-based Data Tokens
CAPEC
Transaction or Event Tampering via Application API Manipulation
CAPEC
Application API Message Manipulation via Man-in-the-Middle
CAPEC
Data Interchange Protocol Manipulation
CAPEC
Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
CAPEC
Web Services Protocol Manipulation
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.