CAPEC-77: Manipulating User-Controlled Variables
ID
CAPEC-77
Typical Severity
Very High
Likelihood Of Attack
High
Status
Draft
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-15 | External Control of System or Configuration Setting | weakness |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | weakness |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | weakness |
| CWE-285 | Improper Authorization | weakness |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | weakness |
| CWE-473 | PHP External Variable Modification | weakness |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | weakness |