Name |
Manipulating User-Controlled Variables |
|
Likelyhood of attack |
Typical severity |
High |
Very High |
|
Summary |
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. |
Prerequisites |
A variable consumed by the application server is exposed to the client. A variable consumed by the application server can be overwritten by the user. The application server trusts user supplied data to compute business logic. The application server does not perform proper input validation. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. |
|
2 |
Experiment |
[Find user-controlled variables] Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application. |
- Adversaries will try to alter many common variable names such as "count", "tempFile", "i", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
- Adversaries will try to alter known environment variables.
|
3 |
Exploit |
[Manipulate user-controlled variables] Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary. |
|
|
Solutions | If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables. A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary. Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data. Use encapsulation when declaring your variables. This is to lower the exposure of your variables. Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-15 |
External Control of System or Configuration Setting |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') |
CWE-96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
CWE-285 |
Improper Authorization |
CWE-302 |
Authentication Bypass by Assumed-Immutable Data |
CWE-473 |
PHP External Variable Modification |
CWE-1321 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-22 |
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack. |
|