This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Description
Attack Execution Flow
3
1
Step 1
Explore[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on.
AI Translation
[Probe target application] L'avversario esegue prima un probing dell'applicazione target per determinare informazioni importanti sul bersaglio. Queste informazioni potrebbero includere i tipi di software utilizzati, le versioni del software, quali input dell'utente l'applicazione riceve, e così via.
2
Step 2
Experiment[Find user-controlled variables] Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.
Adversaries will try to alter many common variable names such as 'count', 'tempFile', 'i', etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
Adversaries will try to alter known environment variables.
AI Translation
[Trova variabili controllate dall'utente] Utilizzando le informazioni ottenute tramite il probing dell'applicazione, l'attaccante tenta di manipolare molte variabili controllate dall'utente e osserva gli effetti sull'applicazione. Se l'attaccante nota cambiamenti significativi nell'applicazione, saprà che una certa variabile è utile per l'applicazione.
Gli attaccanti cercheranno di alterare molti nomi di variabili comuni come "count", "tempFile", "i", ecc. La speranza è di poter modificare il flusso dell'applicazione senza conoscere il funzionamento interno.
Gli attaccanti tenteranno di modificare variabili di ambiente note.
Attack Techniques
-
Adversaries will try to alter many common variable names such as "count", "tempFile", "i", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
-
Adversaries will try to alter known environment variables.IT: Gli avversari tenteranno di modificare molti nomi di variabili comuni come "count", "tempFile", "i", ecc. L'obiettivo è poter alterare il flusso dell'applicazione senza conoscere il funzionamento interno.
3
Step 3
Exploit[Manipulate user-controlled variables] Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary.
AI Translation
[Manipolare variabili controllate dall'utente] Una volta che l'attaccante ha individuato una o più variabili controllate dall'utente rilevanti per l'applicazione, le manipolerà per modificare il comportamento normale in modo da favorire l'attaccante.
Mitigations
5
Do Not Allow Override Of Global Variables And Do Not Trust Global Variables. If The Register_Globals Option Is Enabled, Php Will Create Global Variables For Each Get, Post, And Cookie Variable Included In The Http Request. This Means That A Malicious User May Be Able To Set Variables Unexpectedly. For Instance Make Sure That The Server Setting For Php Does Not Expose Global Variables.
Separate The Presentation Layer And The Business Logic Layer. Variables At The Business Logic Layer Should Not Be Exposed At The Presentation Layer. This Is To Prevent Computation Of Business Logic From User Controlled Input Data.
A Software System Should Be Reluctant To Trust Variables That Have Been Initialized Outside Of Its Trust Boundary. Ensure Adequate Checking Is Performed When Relying On Input From Outside A Trust Boundary.
Use Encapsulation When Declaring Your Variables. This Is To Lower The Exposure Of Your Variables.
Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Be Rejected By The Program.
Consequences
Security Scopes Affected
Access Control
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Execute Unauthorized Commands
Gain Privileges
Modify Data
Read Data
Indicators
1
A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.