ClassDraft

CWE-642External Control of Critical State Data

Category: other

Description

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Common consequences· 3

  • Access Control — Bypass Protection Mechanism, Gain Privileges or Assume Identity
    An attacker could potentially modify the state in malicious ways. If the state is related to the privileges or level of authentication that the user has, then state modification might allow the user to bypass authentication or elevate privileges.
  • Confidentiality — Read Application Data
    The state variables may contain sensitive information that should not be known by the client.
  • Availability — DoS: Crash, Exit, or Restart
    By modifying state variables, the attacker could violate the application's expectations for the contents of the state, leading to a denial of service due to an unexpected error condition.

Potential mitigations· 5

  • [Architecture and Design]Understand all the potential locations that are accessible to attackers. For example, some programmers assume that cookies and hidden form fields cannot be modified by an attacker, or they may not consider that environment variables can be modified before a privileged program is invoked.
  • [Architecture and Design]
  • [Architecture and Design]Store state information on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.
  • [Architecture and Design]
  • [Architecture and Design]For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Related CAPEC attack patterns· 2

CAPEC-21CAPEC-31

References

  1. https://cwe.mitre.org/data/definitions/642.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternExploitation of Trusted Identifierscapec-21100%live
AttackPatternAccessing/Intercepting/Modifying HTTP Cookiescapec-31100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Exposure of Sensitive Information to an Unauthorized Actor
CWE
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE
Storage of Sensitive Data in a Mechanism without Access Control
CWE
Insufficiently Protected Credentials
CWE
Insecure Storage of Sensitive Information
CWE
Reliance on Untrusted Inputs in a Security Decision
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.