CAPEC-77 - Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Exploitation
  • Scopes 4
  • Modify application data
  • Integrity
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Read application data
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: The malicious user can easily try some well-known global variables and find one which matches.

Medium level: The attacker can use automated tools to probe for variables that she can control.

A variable consumed by the application server is exposed to the client.

A variable consumed by the application server can be overwritten by the user.

The application server trusts user supplied data to compute business logic.

The application server does not perform proper input validation.

The attacker can try to change the value of the variables that are exposed on the webpage's source code and send them back to the application server. Depending on what program is running on the application server, the attacker may know which variables should be targeted.

The malicious user may try to guess a global variable just by black box testing at the request level. For instance it is possible to create a variable and assign it a value, then pass it along to the request made to the server.

Web penetration tool can be used to automate the discovery of client controlled global variables.

Global variables used on the server side should not be trusted.

Override of Global variables should not be allowed.

Step 1 -

The attacker communicates with the application server using a thin client (browser) or thick client..


Step 1 -

While communicating with the server, the attacker finds that she can control and override a variable consumed by the application server..


Step 1 -

The attacker overrides the variable and influences the normal behavior of the application server..


Do not allow override of global variables and do Not Trust Global Variables.
If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.

A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.

Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.

Use encapsulation when declaring your variables. This is to lower the exposure of your variables.

Assume all input is malicious. Create a white list that defines all valid input to the software system based on the requirements specifications. Input that does not match against the white list should be rejected by the program.