1. Home
  2. Weaknesses
  3. CWE-472

CWE-472: External Control of Assumed-Immutable Web Parameter

ID CWE-472
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 20
Detail CAPEC Dashboard Vulnerabilities Web & Social
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input.

For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application.

Modes of Introduction

Phase Note
Implementation OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-642 External Control of Critical State Data Class Simple Draft
CWE-1000 Research Concepts Draft CWE-471 Modification of Assumed-Immutable Data (MAID) Base Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies CWE-472
CAPEC-39 Manipulating Opaque Client-based Data Tokens CWE-472
CAPEC-146 XML Schema Poisoning CWE-472
CAPEC-226 Session Credential Falsification through Manipulation CWE-472

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date