Standardlikelihood: Highseverity: MediumDraft

CAPEC-39Manipulating Opaque Client-based Data Tokens

Abstraction
Standard
Status
Draft
Likelihood
High
Severity
Medium

Description

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

Related weaknesses· 9

CWE-353CWE-285CWE-302CWE-472CWE-565CWE-315CWE-539CWE-384CWE-233

Related attack patterns· 1

CAPEC-22 (ChildOf)

Exploits9

TypeTargetConfidenceTier
WeaknessCleartext Storage of Sensitive Information in a Cookiecwe-315100%live
WeaknessMissing Support for Integrity Checkcwe-353100%live
WeaknessSession Fixationcwe-384100%live
WeaknessReliance on Cookies without Validation and Integrity Checkingcwe-565100%live
WeaknessImproper Handling of Parameterscwe-233100%live
WeaknessExternal Control of Assumed-Immutable Web Parametercwe-472100%live
WeaknessImproper Authorizationcwe-285100%live
WeaknessUse of Persistent Cookies Containing Sensitive Informationcwe-539100%live
WeaknessAuthentication Bypass by Assumed-Immutable Datacwe-302100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Accessing/Intercepting/Modifying HTTP Cookies
CAPEC
Application API Message Manipulation via Man-in-the-Middle
CAPEC
Manipulating Hidden Fields
CAPEC
Content Spoofing Via Application API Manipulation
CAPEC
Client-Server Protocol Manipulation
CAPEC
Transaction or Event Tampering via Application API Manipulation
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.