Dettaglio CAPEC-140

CAPEC-140

Bypassing of Intermediate Forms in Multiple-Form Sets
Medio
Draft
2014-06-23
00h00 +00:00
2020-07-30
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Descrizioni CAPEC

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

Informazioni CAPEC

Prerequisiti

The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.

Risorse richieste

None: No specialized resources are required to execute this type of attack.

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-372

 Incomplete Internal State Distinction
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Related_Attack_Patterns
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.