External Control of System or Configuration SettingID: 15 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
One or more system settings or configuration elements can be
externally controlled by a user.
Extended DescriptionAllowing external control of system settings can disrupt service or cause
an application to behave in unexpected, and potentially malicious
ways.
Applicable PlatformsNone
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Other | Varies by context | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Compartmentalize your system and determine where the trust boundaries
exist. Any input/control outside the trust boundary should be treated as
potentially hostile. | | |
ImplementationArchitecture and Design | | Because setting manipulation covers a diverse set of functions, any
attempt at illustrating it will inevitably be incomplete. Rather than
searching for a tight-knit relationship between the functions addressed
in the setting manipulation category, take a step back and consider the
sorts of system values that an attacker should not be allowed to
control. | | |
ImplementationArchitecture and Design | | In general, do not allow user-provided or otherwise untrusted data to
control sensitive values. The leverage that an attacker gains by
controlling these values is not always immediately obvious, but do not
underestimate the creativity of the attacker. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-15 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following C code accepts a number as one of its command line
parameters and sets it as the host ID of the current machine.
- The following Java code snippet reads a string from an
HttpServletRequest and sets it as the active catalog for a database
Connection.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Setting Manipulation | |
References:None