This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Repudiation Attack"

Jump to: navigation, search
(Reverting to last version not containing links to
Line 1: Line 1:

Revision as of 18:29, 27 May 2009

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision (mm/dd/yy): 05/27/2009


A repudiation attack happens when an application or system does not adopt controls to properly track and log users' actions, thus permitting malicious manipulation or forging the identification of new actions. This attack can be used to change the authoring information of actions executed by a malicious user in order to log wrong data to log files. Its usage can be extended to general data manipulation in the name of others, in a similar manner as spoofing mail messages. If this attack takes place, the data stored on log files can be considered invalid or misleading.

Risk Factors



Consider a web application that makes access control and authorization based on SESSIONID, but registers user actions based on a user parameter defined on the Cookie header, as follows:

 POST http://someserver/Upload_file.jsp HTTP/1.1
 Host: tequila:8443
 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:   
 Gecko/20070515 Firefox/
 Accept-Language: en-us,en;q=0.5
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 300
 Connection: keep-alive
 Referer: http://someserver/uploads.jsp
 Cookie: JSESSIONID=EE3BD1E764CD6EED280426128201131C;  
 Content-Type: multipart/form-data; boundary=--------------------------- 
 Content-Length: 321

And the log file is composed by:

Date, Time, Source IP, Source port, Request, User

Once user information is acquired from user parameter on HTTP header, a malicious user could make use of a local proxy (eg:paros) and change it by a known or unknown username.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls