Standardlikelihood: Highseverity: Very HighDraft

CAPEC-77Manipulating User-Controlled Variables

Abstraction
Standard
Status
Draft
Likelihood
High
Severity
Very High

Description

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Related weaknesses· 7

CWE-15CWE-94CWE-96CWE-285CWE-302CWE-473CWE-1321

Related attack patterns· 1

CAPEC-22 (ChildOf)

Exploits7

TypeTargetConfidenceTier
WeaknessExternal Control of System or Configuration Settingcwe-15100%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-94100%live
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-1321100%live
WeaknessImproper Neutralization of Directives in Statically Saved Code ('Static Code Injection')cwe-96100%live
WeaknessPHP External Variable Modificationcwe-473100%live
WeaknessImproper Authorizationcwe-285100%live
WeaknessAuthentication Bypass by Assumed-Immutable Datacwe-302100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
PHP External Variable Modification
CAPEC
DEPRECATED: Variable Manipulation
CAPEC
DEPRECATED: Global variable manipulation
CAPEC
Configuration/Environment Manipulation
CAPEC
Subverting Environment Variable Values
CAPEC
HTTP Parameter Pollution (HPP)
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.