ByteOS Network

CWE-471:Modification of Assumed-Immutable Data (MAID)

Weakness ID:471

Version:v4.17

Weakness Name:Modification of Assumed-Immutable Data (MAID)

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Draft

Details Content History Observed CVE Examples Reports

▼Description

The product does not properly protect an assumed-immutable element from being modified by an attacker.

▼Extended Description

This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Discouraged	P	664	Improper Control of a Resource Through its Lifetime
ParentOf	Allowed	B	1282	Assumed-Immutable Data is Stored in Writable Memory
ParentOf	Allowed	V	1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ParentOf	Allowed	B	425	Direct Request ('Forced Browsing')
ParentOf	Allowed	B	472	External Control of Assumed-Immutable Web Parameter
ParentOf	Allowed	V	473	PHP External Variable Modification
ParentOf	Allowed-with-Review	C	602	Client-Side Enforcement of Server-Side Security
ParentOf	Allowed	V	607	Public Static Final Field References Mutable Object
ParentOf	Allowed	V	621	Variable Extraction Error

Nature: ChildOf

Mapping: Discouraged

Type: Pillar

ID: 664

Name: Improper Control of a Resource Through its Lifetime

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 1282

Name: Assumed-Immutable Data is Stored in Writable Memory

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 1321

Name: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 425

Name: Direct Request ('Forced Browsing')

Nature: ParentOf

Mapping: Allowed

Type: Base

ID: 472

Name: External Control of Assumed-Immutable Web Parameter

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 473

Name: PHP External Variable Modification

Nature: ParentOf

Mapping: Allowed-with-Review

Type: Class

ID: 602

Name: Client-Side Enforcement of Server-Side Security

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 607

Name: Public Static Final Field References Mutable Object

Nature: ParentOf

Mapping: Allowed

Type: Variant

ID: 621

Name: Variable Extraction Error

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	991	SFP Secondary Cluster: Tainted Input to Environment
MemberOf	Prohibited	C	1347	OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf	Prohibited	C	1416	Comprehensive Categorization: Resource Lifecycle Management

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 991

Name: SFP Secondary Cluster: Tainted Input to Environment

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1347

Name: OWASP Top Ten 2021 Category A03:2021 - Injection

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1416

Name: Comprehensive Categorization: Resource Lifecycle Management

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-315	Unexpected State (impact)
MemberOf	Prohibited	BS	BOSS-318	Modify Application Data (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-315

Name: Unexpected State (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-318

Name: Modify Application Data (impact)

▼Relevant To View

Relevant to the view"OWASP Top Ten (2021) - (1344)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1347	OWASP Top Ten 2021 Category A03:2021 - Injection

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1347

Name: OWASP Top Ten 2021 Category A03:2021 - Injection

Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	991	SFP Secondary Cluster: Tainted Input to Environment

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 991

Name: SFP Secondary Cluster: Tainted Input to Environment

▼Common Consequences

Scope	Likelihood	Impact	Note
Integrity	N/A	Modify Application Data	Common data types that are attacked are environment variables, web application parameters, and HTTP headers.
Integrity	N/A	Unexpected State	N/A

Scope: Integrity

Likelihood: N/A

Impact: Modify Application Data

Note:

Common data types that are attacked are environment variables, web application parameters, and HTTP headers.

Scope: Integrity

Likelihood: N/A

Impact: Unexpected State

Note:

N/A

▼Potential Mitigations

Phase:Architecture and Design, Operation, Implementation

Description:

When the data is stored or transmitted through untrusted sources that could modify the data, implement integrity checks to detect unauthorized modification, or store/transmit the data in a trusted location that is free from external influence.

▼Modes Of Introduction

Phase: Implementation

Note:

N/A

Phase: Architecture and Design

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.

Language: Java(Bad code)

String[] colors = car.getAllPossibleColors(); colors[0] = "Red";

▼Observed Examples

Reference	Description
CVE-2002-1757	Relies on $PHP_SELF variable for authentication.
CVE-2005-1905	Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver.

Reference: CVE-2002-1757

Description:

Relies on $PHP_SELF variable for authentication.

Reference: CVE-2005-1905

Description:

Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver.

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Notes

Relationship

MAID issues can be primary to many other weaknesses, and they are a major factor in languages that provide easy access to internal program constructs, such as PHP's register_globals and similar features. However, MAID issues can also be resultant from weaknesses that modify internal state; for example, a program might validate some data and store it in memory, but a buffer overflow could overwrite that validated data, leading to a change in program logic.

Theoretical

There are many examples where the MUTABILITY property is a major factor in a vulnerability.

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Fit	Entry Name
PLOVER	N/A	N/A	Modification of Assumed-Immutable Data

Taxonomy Name: PLOVER

Entry ID: N/A

Fit: N/A

Entry Name: Modification of Assumed-Immutable Data

▼Related Attack Patterns

ID	Name
CAPEC-384	Application API Message Manipulation via Man-in-the-Middle
CAPEC-385	Transaction or Event Tampering via Application API Manipulation
CAPEC-386	Application API Navigation Remapping
CAPEC-387	Navigation Remapping To Propagate Malicious Content
CAPEC-388	Application API Button Hijacking

ID: CAPEC-384

Name: Application API Message Manipulation via Man-in-the-Middle

ID: CAPEC-385

Name: Transaction or Event Tampering via Application API Manipulation

ID: CAPEC-386

Name: Application API Navigation Remapping

ID: CAPEC-387

Name: Navigation Remapping To Propagate Malicious Content

ID: CAPEC-388

Name: Application API Button Hijacking