Input Data Manipulation
Attack Pattern ID: 153 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can advesely impact the security of the target. For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.

+ Attack Prerequisites

The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control.

+ Resources Required

No special resources are required for most variants of this attack.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory262Resource Manipulation 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern266Manipulate Canonicalization 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern267Leverage Alternate Encoding 
Mechanism of Attack (primary)1000
Back to top