This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Setting Manipulation

From OWASP
Revision as of 00:35, 14 September 2008 by KirstenS (talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.

ASDR Table of Contents

Description

This attack aims to modify application settings in order to cause data misleading or advantages on user behalf. He may manipulate values in the system and manages specific resources user by application or affects its functionalities.

An attacker can exploit several functionalities of the application using this attack technique, but it would not possible to describe all the ways of exploration, due to innumerable options that attacker may use to control the system values.

Using this attack technique, it is possible to manipulate settings by changing the application functions, such as calls to the database, blocking access to external libraries and/or modification log files.

Risk Factors

TBD


Example

Example 1

An attacker needs to identify the variables without input validation or improperly encapsulated to obtain success in the attack.

The following example was based on the ones found in the Individual CWE Dictionary Definition (Setting Manipulation-15).

Consider the following piece of Java code:

 …
 conn.setCatalog(request.getParameter(“catalog”));
 ...

This fragment reads the string “catalog” from “HttpServletRequest” and sets it as the active catalog for a database connection. An attacker could manipulate this information and cause connection error or unauthorized access to other catalogs.


Example 2 – Block Access to Libraries

The attacker has the privileges to block application access to external libraries to execute this attack. It is necessary discover what external libraries are accessed by application and block it. The attacker needs to observe if behavior of the system goes into an insecure/inconsistent state.

In this case the application uses a third party cryptographic random number generation library that used in generation of user session ids. An attacker may block to access this library by renaming it. Then an application will be use the weak pseudo random number generation library. The attacker can use this weakness to predict the session id user, he/she attempts to perform elevation of privilege escalation and gains access user’s account.

For more details about this attack, see: http://capec.mitre.org/data/definitions/96.html

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References