Corgea LogoCorgea Security Hub

CWE-642: External Control of Critical State Data

Learn about CWE-642 (External Control of Critical State Data), its security impact, exploitation methods, and prevention guidelines.

What is External Control of Critical State Data?

• Overview: External Control of Critical State Data (CWE-642) is a vulnerability where an application stores important security-related state information in a location that can be accessed and potentially modified by unauthorized users, leading to unauthorized actions or resource access.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by modifying state information stored in easily accessible locations like cookies, hidden form fields, or URL parameters.
  • Common attack patterns include forging or altering cookies to bypass authentication checks or changing hidden fields to gain unauthorized privileges.

• Security Impact:

  • Direct consequences include unauthorized access to resources, privilege escalation, and bypassing security checks.
  • Potential cascading effects involve broader system compromise if initial unauthorized actions lead to further vulnerabilities being exploited.
  • Business impact includes data breaches, loss of customer trust, legal repercussions, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include using server-side storage for sensitive state information instead of client-side storage.
  • Security best practices involve encrypting state data, implementing robust input validation, and employing secure session management techniques.
  • Recommended tools and frameworks include security libraries for managing sessions and state, such as OWASP's security tools, and frameworks that provide built-in security mechanisms like Spring Security for Java.
Corgea can automatically detect and fix External Control of Critical State Data in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Web Server

Vulnerable Code Example

JavaScript Example

// This code snippet demonstrates a security vulnerability where critical state data is stored on the client-side
// in an untrusted manner. The user's role is stored in a cookie, which can be easily manipulated by an attacker.

function getUserRoleFromCookie() {
    const cookieValue = document.cookie.replace(/(?:(?:^|.*;\s*)userRole\s*\=\s*([^;]*).*\$)|^.*\$/, "\$1");
    return cookieValue; // User role is retrieved directly from the cookie
}

// Usage of the role from cookie to control access
function isAdmin() {
    return getUserRoleFromCookie() === 'admin'; // Role-based access control based on client-side data
}

Explanation

In this vulnerable example, the user's role is stored in a cookie on the client-side. An attacker can easily manipulate this cookie to escalate privileges by changing the role to 'admin'. This represents a classic example of CWE-642, where critical state data is externally controlled and can be tampered with.

How to fix External Control of Critical State Data?

To fix this vulnerability, avoid storing critical state information, such as user roles or permissions, on the client-side. Instead, store such information server-side and use secure methods to verify user roles. One effective approach is to use server-side sessions or a secure token mechanism (e.g., JWT) where the server maintains control over the user's state. This prevents unauthorized manipulation of critical data.

Fixed Code Example

JavaScript Example

// In this fixed code, the user's role is checked on the server-side to ensure that it cannot be tampered with by the client.
// We simulate this with a server-side function that verifies user roles based on a secure token.

async function getUserRoleFromServer(token) {
    // Simulate a server-side call to get the user's role
    // In a real-world scenario, this would involve server-side session or token verification
    const response = await fetch('https://example.com/api/getUserRole', {
        method: 'POST',
        headers: {
            'Authorization': `Bearer \${token}` // Use secure token to request role from server
        }
    });
    const serverResponse = await response.json();

    return serverResponse.role; // The role is securely retrieved from the server
}

// Secure role check that relies on server-side data
async function isAdmin(token) {
    const role = await getUserRoleFromServer(token); // Role verification is now server-based
    return role === 'admin'; // Access control is now secure
}

Explanation

In this fixed example, the user's role is determined through a secure server-side call that verifies the user's role using a token. This approach mitigates the risk of unauthorized role manipulation by the client, as the role information is not stored or controlled on the client-side. The server maintains control over the user's state, ensuring that access control is based on trusted data.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-642: External Control of Critical State Data and get remediation guidance

Start for free and no credit card needed.