CWE-472: External Control of Assumed-Immutable Web Parameter
Learn about CWE-472 (External Control of Assumed-Immutable Web Parameter), its security impact, exploitation methods, and prevention guidelines.
What is External Control of Assumed-Immutable Web Parameter?
• Overview: This vulnerability occurs when web applications fail to properly verify inputs that are assumed to be immutable, such as hidden form fields, cookies, or URL parameters, allowing attackers to modify critical data.
• Exploitation Methods:
- Attackers can manipulate hidden form fields or cookies to alter application behavior.
- Common techniques include intercepting and modifying HTTP requests using tools like Burp Suite or Fiddler.
• Security Impact:
- Direct consequences include unauthorized actions, such as privilege escalation or unauthorized transactions.
- Potential cascading effects include data breaches or system compromise.
- Business impact can involve financial loss, reputational damage, and legal liability.
• Prevention Guidelines:
- Validate and sanitize all client-side inputs on the server side.
- Avoid storing sensitive data in hidden fields or cookies; use server-side sessions instead.
- Employ HTTPS to encrypt data in transit and prevent interception.
- Use frameworks with built-in security features to handle data validation and session management.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
JavaScript Example
// Simulating an order processing system where a hidden input field is assumed to be immutable
function processOrder(req) {
// Extracting order details from a web form
let orderAmount = req.body.orderAmount; // Order amount from a hidden form field
let userId = req.body.userId; // User ID from a hidden form field
// Vulnerable: The orderAmount and userId are assumed to be immutable but can be manipulated by the client
if (userId && orderAmount > 0) {
// Process order
console.log(`Processing order for user \${userId} with amount \${orderAmount}`);
} else {
console.error('Invalid order details');
}
}
Explanation of Vulnerability
In the above code, orderAmount and userId are extracted directly from client-side input, which is assumed to be immutable. This assumption is incorrect because a malicious user can manipulate these values, leading to unauthorized actions such as incorrect billing or unauthorized access.
How to fix External Control of Assumed-Immutable Web Parameter?
Fixed Code Example
function processOrder(req, db) {
// Retrieve user ID from session or server-side authentication mechanism
let sessionUserId = req.session.userId; // Securely obtained user ID from a trusted source
// Retrieve order details securely from the server-side database
db.getOrderDetails(sessionUserId, (err, orderDetails) => {
if (err) {
console.error('Error fetching order details', err);
return;
}
let orderAmount = orderDetails.amount; // Secured order amount from a trusted database
// Secure: Processing order with validated and server-side verified data
if (sessionUserId && orderAmount > 0) {
console.log(`Processing order for user \${sessionUserId} with amount \${orderAmount}`);
} else {
console.error('Invalid order details');
}
});
}
Explanation of Fix
In the fixed code example, the order processing relies on server-side retrieval of both the user ID and the order amount. The user ID is obtained from the session, and the order amount is fetched from the database. This ensures that the values are not manipulated by client-side inputs, maintaining the integrity of critical operations and protecting against unauthorized actions.