Difference between revisions of "Setting Manipulation"

From OWASP
Jump to: navigation, search
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
 +
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 +
This attack aims to modify application settings in order to cause misleading data or advantages on the attacker's behalf. He may manipulate values in the system and manage specific user resources of the application or affect its functionalities.
 +
 +
An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values. 
 +
 +
Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries, and/or modification log files.
 +
 +
== Risk Factors==
 +
TBD
 +
 +
 +
==Example==
 +
 +
===Example 1 ===
 +
 +
An attacker needs to identify the variables without input validation or those improperly encapsulated to obtain success in the attack.
 +
 +
The following example was based on those found in the Individual CWE Dictionary Definition (Setting Manipulation-15).
 +
 +
Consider the following piece of Java code:
 +
  …
 +
  conn.setCatalog(request.getParameter(“catalog”));
 +
  ...
 +
 +
This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause a connection error or unauthorized access to other catalogs.
  
Attackers manipulate the settings of the system to cause the application to behave in unexpected ways.
+
===Example 2 – Block Access to Libraries ===
  
NOTE: The title was originally from [[CVE|http://www.cve.mitre.org/]] and was intended to be used for a vulnerability. We believe this title is more appropriate for an attack. The corresponding vulnerability is [[Allowing External Setting Manipulation]]
+
The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary to discover what external libraries are accessed by the application and block them. The attacker needs to observe if the behavior of the system goes into an insecure/inconsistent state.
  
==Examples ==
+
In this case the application uses a third party cryptographic random number generation library to generate user Session IDs. An attacker may block access to this library by renaming it.
 +
Then the application will use the weak pseudo random number generation library. The attacker can use this weakness to predict the Session ID user; he/she attempts to perform elevation of privilege escalation and gains access to the user's account.
  
* An application takes a user-controllable parameter in the HTTP request to decide whether to turn on the debug mode.
+
For more details about this attack, see:
 +
http://capec.mitre.org/data/definitions/96.html
  
* The serialized object that stores the current system status can be overwritten by user input.
+
==Related [[Threat Agents]]==
 +
* [[:Category: Logical Attacks]]
  
==Related Threats==
+
==Related [[Attacks]]==
 +
* [[Denial of Service]]
  
==Related Attacks==
+
==Related [[Vulnerabilities]]==
 +
* [[:Category:General Logic Error Vulnerability]]
  
==Related Vulnerabilities==
+
==Related [[Controls]]==
 +
* [[:Category: Error Handling]]
  
[[Allowing External Setting Manipulation]]
+
==References==
 +
* http://cwe.mitre.org/data/definitions/15.html - Setting Manipulation
 +
* http://capec.mitre.org/data/definitions/13.html - Subverting Environment Variable Values
 +
* http://capec.mitre.org/data/definitions/96.html - Block Access to Libraries
  
==Related Countermeasures==
 
  
==Categories==
+
[[Category: Resource Manipulation]]
  
{{Template:Stub}}
+
[[Category: Attack]]

Latest revision as of 06:50, 23 April 2009

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 04/23/2009

Description

This attack aims to modify application settings in order to cause misleading data or advantages on the attacker's behalf. He may manipulate values in the system and manage specific user resources of the application or affect its functionalities.

An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values.

Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries, and/or modification log files.

Risk Factors

TBD


Example

Example 1

An attacker needs to identify the variables without input validation or those improperly encapsulated to obtain success in the attack.

The following example was based on those found in the Individual CWE Dictionary Definition (Setting Manipulation-15).

Consider the following piece of Java code:

 …
 conn.setCatalog(request.getParameter(“catalog”));
 ...

This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause a connection error or unauthorized access to other catalogs.

Example 2 – Block Access to Libraries

The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary to discover what external libraries are accessed by the application and block them. The attacker needs to observe if the behavior of the system goes into an insecure/inconsistent state.

In this case the application uses a third party cryptographic random number generation library to generate user Session IDs. An attacker may block access to this library by renaming it. Then the application will use the weak pseudo random number generation library. The attacker can use this weakness to predict the Session ID user; he/she attempts to perform elevation of privilege escalation and gains access to the user's account.

For more details about this attack, see: http://capec.mitre.org/data/definitions/96.html

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References