In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
Description
Attack Execution Flow
4
1
Step 1
Explore[Enumerate information passed to client side] The attacker identifies the parameters used as part of tokens to take business or security decisions
Use WebScarab to reveal hidden fields while browsing.
Use a sniffer to capture packets
View source of web page to find hidden fields
Examine URL to see if any opaque tokens are in it
Disassemble or decompile client-side application
Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.
AI Translation
[Enumerate information passed to client side] L'attaccante identifica i parametri utilizzati come parte dei token per prendere decisioni di business o di sicurezza
Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
Usa un sniffer per catturare i pacchetti
Visualizza il codice sorgente della pagina web per trovare campi nascosti
Esamina l'URL per verificare se contiene token opachi
Disassemblare o decompilare l'applicazione lato client
Utilizza strumenti di debugging come File Monitor, Registry Monitor, Debugger, ecc.
Attack Techniques
-
Use WebScarab to reveal hidden fields while browsing.
-
Use a sniffer to capture packetsIT: Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
-
View source of web page to find hidden fieldsIT: Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
-
Examine URL to see if any opaque tokens are in itIT: Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
-
Disassemble or decompile client-side applicationIT: Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
-
Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.IT: Utilizza WebScarab per rivelare campi nascosti durante la navigazione.
2
Step 2
Explore[Determine protection mechanism for opaque token] The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.
Look for signs of well-known character encodings
Look for cryptographic signatures
Look for delimiters or other indicators of structure
AI Translation
[Determina il meccanismo di protezione per token opachi] L'attaccante individua il meccanismo di protezione utilizzato per garantire la riservatezza e l'integrità di questi token di dati. Potrebbero essere offuscati o potrebbe essere utilizzata una crittografia completa.
Cerca segni di codifiche di caratteri note
Cerca firme crittografiche
Cerca delimitatori o altri indicatori di struttura
Attack Techniques
-
Look for cryptographic signatures
-
Look for signs of well-known character encodingsIT: Cerca firme crittografiche
-
Look for delimiters or other indicators of structureIT: Cerca firme crittografiche
3
Step 3
Experiment[Modify parameter/token values] Trying each parameter in turn, the attacker modifies the values
Modify tokens logically
Modify tokens arithmetically
Modify tokens bitwise
Modify structural components of tokens
Modify order of parameters/tokens
AI Translation
[Modifica dei valori di parametro/token] Provare ogni parametro a turno, l'attaccante modifica i valori
Modifica dei token in modo logico
Modifica dei token in modo aritmetico
Modifica dei token a livello bitwise
Modifica dei componenti strutturali dei token
Modifica dell'ordine di parametri/token
Attack Techniques
-
Modify tokens logically
-
Modify tokens bitwiseIT: Modifica i token in modo logico
-
Modify order of parameters/tokensIT: Modifica i token in modo logico
-
Modify tokens arithmeticallyIT: Modifica i token in modo logico
-
Modify structural components of tokensIT: Modifica i token in modo logico
4
Step 4
Experiment[Cycle through values for each parameter.] Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server
Use network-level packet injection tools such as netcat
Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
Use modified client (modified by reverse engineering)
Use debugging tools to modify data in client
AI Translation
[Scorri tra i valori per ogni parametro.] A seconda della natura dell'applicazione, l'attaccante cicla ora tra i valori di ogni parametro e osserva gli effetti di questa modifica sui dati restituiti dal server
Utilizza strumenti di injection di pacchetti a livello di rete come netcat
Utilizza strumenti di modifica dei dati a livello applicativo come Tamper Data, WebScarab, TamperIE, ecc.
Utilizza client modificato (modificato tramite reverse engineering)
Utilizza strumenti di debug per modificare i dati nel client
Attack Techniques
-
Use network-level packet injection tools such as netcat
-
Use modified client (modified by reverse engineering)IT: Utilizza strumenti di injection di pacchetti a livello di rete come netcat
-
Use debugging tools to modify data in clientIT: Utilizza strumenti di injection di pacchetti a livello di rete come netcat
-
Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.IT: Utilizza strumenti di injection di pacchetti a livello di rete come netcat
Mitigations
4
Make Sure That All Session Tokens Use A Good Source Of Randomness
Make Sure To Protect Client Side Authentication Tokens For Confidentiality (Encryption) And Integrity (Signed Hash)
One Solution To This Problem Is To Protect Encrypted Data With A Crc Of Some Sort. If Knowing Who Last Manipulated The Data Is Important, Then Using A Cryptographic "Message Authentication Code" (Or Hmac) Is Prescribed. However, This Guidance Is Not A Panacea. In Particular, Any Value Created By (And Therefore Encrypted By) The Client, Which Itself Is A "Malicious" Value, All The Protective Cryptography In The World Can'T Make The Value 'Correct' Again. Put Simply, If The Client Has Control Over The Whole Process Of Generating And Encoding The Value, Then Simply Protecting Its Integrity Doesn'T Help.
Perform Validation On The Server Side To Make Sure That Client Side Data Tokens Are Consistent With What Is Expected.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Relationships
Parent CAPECs
Resources Required
1
The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data.