CAPEC-39: Manipulating Opaque Client-based Data Tokens
ID
CAPEC-39
Typical Severity
Medium
Likelihood Of Attack
High
Status
Draft
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-233 | Improper Handling of Parameters | weakness |
| CWE-285 | Improper Authorization | weakness |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | weakness |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie | weakness |
| CWE-353 | Missing Support for Integrity Check | weakness |
| CWE-384 | Session Fixation | weakness |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | weakness |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | weakness |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | weakness |