CWE
Home > CWE List > CWE-642 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-642 Individual Dictionary Definition (Draft 9)

External Control of User State Data
Weakness ID
Status: Incomplete

642 (Weakness Base)

Description

Summary

An application manages user state information in a way that it can be tampered with by the user of an application to give him or her an elevated level of access to the data handled by the application and/or its functionality. An application may store user state on the client in a way that enables tampering. For instance, state information can be stored in a cookie, in a hidden web form field or in some other settings file stored locally. State information may also be passed as a query parameter through the URL or come in a form of some identifier set by one page in the application and consumed by another to signify state information. In each of these cases, chances are that application user can tamper with the state information. Whenever an application cannot definitively and unambiguously control its own state information and state information for each of the application users, there is insufficient management of user state that may potentially be exploited by attackers.

Likelihood of Exploit

High

Common Consequences

Elevation of Privilege

Information Disclosure

Enabling Factors for Exploitation

An application maintains its own state and/or user state (i.e. application is stateful).

State information can be affected by the user of an application through some means other than the legitimate state transitions (e.g. logging into the system, purchasing an item, making a payment, etc.)

An application does not have means to detect state tampering and behave in a fail safe manner.

Potential Mitigations

Do not keep state information on the client without using encryption properly or having a mechanism on the server side to catch state tampering.

Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions.

Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.

Observed Examples
ReferenceDescription
An e-commerce application with a shopping cart uses hidden form field to store information relating to the total price of the items in the cart. There are no additional checks in the server side code to ensure that the total price is correct given the items in the shopping cart. An attacker can then decide how much they want to pay for the items in the cart and modify the hidden form field in the shopping cart with that value, thus buying the items for the price of their choosing.
Relationships
NatureTypeIDName
ChildOfCategoryCategory371State Issues
ChildOfWeakness ClassWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
IsRequiredByCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Applicable Platforms

All

Time of Introduction

Architecture and Design

Implementation

Page Last Updated: April 22, 2008