Manipulating hidden fields to change the normal flow of transactions (eShoplifting)
Attack Pattern ID: 162 (Standard Attack Pattern Completeness: Stub)Typical Severity: HighStatus: Draft
+ Description


An attacker exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server to effect a change in the state of an ordinary transaction. eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the attacker to acquire items at a lower cost than the merchant intended. The attacker performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

+ Attack Prerequisites

The targeted merchant site must us a shopping cart that does not obfuscate the transaction data and does not validate pricing with back end processing.

+ Resources Required

The attacker must be able to craft HTTP responses to the target's shopping site.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
602Client-Side Enforcement of Server-Side SecurityTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory212Functionality Misuse 
Mechanism of Attack (primary)1000