CAPEC-140 Detail

CAPEC-140

Name

Bypassing of Intermediate Forms in Multiple-Form Sets

Typical Severity

Medium

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2020-07-30
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

Informations CAPEC

Prerequisites

The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms.

Resources Required

None: No specialized resources are required to execute this type of attack.

Related Weaknesses

CWE-ID	Weakness Name
CWE-372	Incomplete Internal State Distinction The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Resources_Required
CAPEC Content Team	The MITRE Corporation	2019-04-04 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Related_Attack_Patterns