logo

CWE-642 - External Control of Critical State Data

CWE-642 High

  • Abstraction:
  • Class
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

External Control of Critical State Data

Description

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

If an attacker can modify the state information without detection, then it could be used to perform unauthorized actions or access unexpected resources, since the application programmer does not expect that the state can be changed. State information can be stored in various locations such as a cookie, in a hidden web form field, input parameter or argument, an environment variable, a database record, within a settings file, etc. All of these locations have the potential to be modified by an attacker. When this state information is used to control security or determine resource usage, then it may create a vulnerability. For example, an application may perform authentication, then save the state in an "authenticated=true" cookie. An attacker may simply create this cookie in order to bypass the authentication.

Common Consequences

Scope: Access Control

Impact: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Notes: An attacker could potentially modify the state in malicious ways. If the state is related to the privileges or level of authentication that the user has, then state modification might allow the user to bypass authentication or elevate privileges.

Scope: Confidentiality

Impact: Read Application Data

Notes: The state variables may contain sensitive information that should not be known by the client.

Scope: Availability

Impact: DoS: Crash, Exit, or Restart

Notes: By modifying state variables, the attacker could violate the application's expectations for the contents of the state, leading to a denial of service due to an unexpected error condition.

Related Weaknesses
Related Alerts
  • Release Date:
  • 2008-01-30
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website