This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Setting Manipulation"

From OWASP
Jump to: navigation, search
(Added contents from Fortify.)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
{{Template:Fortify}}
 
  
==Abstract==
+
==Description==
 +
 
 +
This attack aims to modify application settings in order to cause data misleading or advantages on user behalf. He may manipulate values in the system and manages specific resources user by application or affects its functionalities.
 +
 
 +
An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values. 
 +
 
 +
Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries and/or modification log files.
 +
 
 +
 
 +
==Example==
 +
 
 +
===Example1 ===
  
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected ways.
+
An attacker needs to identify the variables without input validation or improperly encapsulated to obtain success in the attack.
  
==Description==
+
The following example was based on the ones found in the Individual CWE Dictionary Definition (Setting Manipulation-15).
 +
 
 +
Consider the following piece of Java code:
 +
  …
 +
  conn.setCatalog(request.getParameter(“catalog”));
 +
  ...
  
Setting manipulation vulnerabilities occur when an attacker can control values that govern the behavior of the system, manage specific resources, or in some way affect the functionality of the application.
+
This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause connection error or unauthorized access to other catalogs.
  
Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
 
  
NOTE: The title was originally from [Fortify http://vulncat.fortifysoftware.com/] and was intended to be used for a vulnerability. We believe this title is more appropriate for an attack. The corresponding vulnerability is [[Allowing External Setting Manipulation]]
+
===Example 2 – Block Access to Libraries ===
  
==Examples ==
+
The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary discover what external libraries are accessed by application and block it. The attacker needs to observe if behavior of the system goes into an insecure/inconsistent state.
  
===Example1===
+
In this case the application uses a third party cryptographic random number generation library that used in generation of user session ids. An attacker may block to access this library by renaming it.
 +
Then an application will be use the weak pseudo random number generation library. The attacker can use this weakness to predict the session id user, he/she attempts to perform elevation of privilege escalation and gains access user’s account.
  
The following C# code reads a number from an HttpRequest and resizes a sorted list in preparation for copying the specified number of items into the list.
+
For more details about this attack, see:
 +
http://capec.mitre.org/data/definitions/96.html
  
...
 
list.set_Capacity((int)Request.get_Item("numItems"));
 
...
 
The code in this example resizes a SortedList of items based on a value read from an HttpRequest. If an attacker provides a malicious value for numItems, the list may be truncated or extended beyond a reasonable size (potentially creating a low memory condition.)
 
  
In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of your attacker.
+
==External References==
  
===Example2===
+
http://cwe.mitre.org/data/definitions/15.html - Setting Manipulation
  
An application takes a user-controllable parameter in the HTTP request to decide whether to turn on the debug mode.
+
http://capec.mitre.org/data/definitions/13.html - Subverting Environment Variable Values
  
==Example3==
+
http://capec.mitre.org/data/definitions/96.html - Block Access to Libraries
  
The serialized object that stores the current system status can be overwritten by user input.
 
  
 
==Related Threats==
 
==Related Threats==
 +
 +
[[:Category: Logical Attacks]]
 +
  
 
==Related Attacks==
 
==Related Attacks==
 +
 +
*[[Denial of Service]]
 +
  
 
==Related Vulnerabilities==
 
==Related Vulnerabilities==
  
[[Allowing External Setting Manipulation]]
+
* [[:Category:Input General Logic Error Vulnerability]]
[[:Category:Input Validation Vulnerability]]
+
 
  
 
==Related Countermeasures==
 
==Related Countermeasures==
  
[[:Category:Input Validation]]
+
*[[:Category: Error Handling]]
 +
 
  
 
==Categories==
 
==Categories==
  
[[Category:C]]
+
[[:Category: Resource Manipulation]]
[[Category:Code Snippet]]
 

Revision as of 13:01, 30 October 2007

This is an Attack. To view all attacks, please see the Attack Category page.


Description

This attack aims to modify application settings in order to cause data misleading or advantages on user behalf. He may manipulate values in the system and manages specific resources user by application or affects its functionalities.

An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values.

Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries and/or modification log files.


Example

Example1

An attacker needs to identify the variables without input validation or improperly encapsulated to obtain success in the attack.

The following example was based on the ones found in the Individual CWE Dictionary Definition (Setting Manipulation-15).

Consider the following piece of Java code: 

 …
 conn.setCatalog(request.getParameter(“catalog”));
 ...

This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause connection error or unauthorized access to other catalogs.


Example 2 – Block Access to Libraries

The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary discover what external libraries are accessed by application and block it. The attacker needs to observe if behavior of the system goes into an insecure/inconsistent state.

In this case the application uses a third party cryptographic random number generation library that used in generation of user session ids. An attacker may block to access this library by renaming it. Then an application will be use the weak pseudo random number generation library. The attacker can use this weakness to predict the session id user, he/she attempts to perform elevation of privilege escalation and gains access user’s account.

For more details about this attack, see: http://capec.mitre.org/data/definitions/96.html


External References

http://cwe.mitre.org/data/definitions/15.html - Setting Manipulation

http://capec.mitre.org/data/definitions/13.html - Subverting Environment Variable Values

http://capec.mitre.org/data/definitions/96.html - Block Access to Libraries


Related Threats

Category: Logical Attacks


Related Attacks


Related Vulnerabilities


Related Countermeasures


Categories

Category: Resource Manipulation

Retrieved from "https://wiki.owasp.org/index.php?title=Setting_Manipulation&oldid=22734"