CAPEC-74 - Manipulating User State

An attacker modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner.

State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart.

Manipulating user state can be employed by an attacker to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.






  • Attack Methods 2
  • Analysis
  • Modification of Resources
  • Purposes 1
  • Exploitation
  • Sec Principles 2
  • Reluctance To Trust
  • Never Assuming That Your Secrets Are Safe
  • Scopes 2
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality
  • Modify application data
  • Integrity

Medium level: The attacker needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way.

No special resources are required. An attacker can choose to use a data tampering tool to aid in the attack.

Analysis: The attacker observes contents of client-side user state variables, stored in cookies or hidden fields or query strings, and modifies them in order to observe their effect on the application.

Treat the Entire Inherited Process Context as Unvalidated Input

Use Well-Known Cryptography Appropriately and Correctly

Step 1 -

Attacker determines the nature of state management employed by the application. This includes determining the location (client-side, server-side or both) and possibly the items stored as part of user state.

Step 1 -

The attacker now tries to modify the user state contents (possibly blindly if the contents are encrypted or otherwise obfuscated) and observe the effects of this change on the application..

Step 1 -

Having determined the information stored in the user state and the possible ways to modify it, the attacker can violate it in order to perform illegitimate actions..

Protect user state that is stored client-side with integrity checks to ensure that a malicious user cannot gain unauthorized access to parts of the application

Authenticate every request to ensure that it is coming from a legitimate user and that the request is a valid one in the current context.

Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state

Do not store sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.

At all times sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request