CWE - CWE-642: External Control of User State Data (Draft 9)

Home > CWE List > CWE-642 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-642 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Incomplete

642 (Weakness Base)

Description

Summary

An application manages user state information in a way that it can be tampered with by the user of an application to give him or her an elevated level of access to the data handled by the application and/or its functionality. An application may store user state on the client in a way that enables tampering. For instance, state information can be stored in a cookie, in a hidden web form field or in some other settings file stored locally. State information may also be passed as a query parameter through the URL or come in a form of some identifier set by one page in the application and consumed by another to signify state information. In each of these cases, chances are that application user can tamper with the state information. Whenever an application cannot definitively and unambiguously control its own state information and state information for each of the application users, there is insufficient management of user state that may potentially be exploited by attackers.

Likelihood of Exploit

High

Common Consequences

Elevation of Privilege

Information Disclosure

Enabling Factors for Exploitation

An application maintains its own state and/or user state (i.e. application is stateful).

State information can be affected by the user of an application through some means other than the legitimate state transitions (e.g. logging into the system, purchasing an item, making a payment, etc.)

An application does not have means to detect state tampering and behave in a fail safe manner.

Potential Mitigations

Do not keep state information on the client without using encryption properly or having a mechanism on the server side to catch state tampering.

Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions.

Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.

Observed Examples

Reference

Description

An e-commerce application with a shopping cart uses hidden form field to store information relating to the total price of the items in the cart. There are no additional checks in the server side code to ensure that the total price is correct given the items in the shopping cart. An attacker can then decide how much they want to pay for the items in the cart and modify the hidden form field in the shopping cart with that value, thus buying the items for the price of their choosing.

Relationships

Nature	Type	ID	Name
ChildOf	Category	371	State Issues
ChildOf	Weakness Class	668	Exposure of Resource to Wrong Sphere
IsRequiredBy	Compound Element: Composite	352	Cross-Site Request Forgery (CSRF)

Applicable Platforms

All

Time of Introduction

Architecture and Design

Implementation

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us