General Information

Client Controlled User Identifier Manipulation

Variants:
Direct Persistent Session 

Also Known As:
User Impersonation via Parameter Tampering

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Secure Design

Invented In:
01/02/2000

Added In:
25/12/2014

Quick Introduction to the Topic:


Vector Operation Method:
Attackers can impersonate application users by changing a unique user identifier originating from the client-side. For example - manipulating a user-id, username or email sent to the application in a non-login related scenario


Direct Variant:

Client Controlled User Identifier Manipulation

Variant Title:
Client Controlled User Identifier Manipulation

Typical Severity:
Critical

Resources:

White Papers:

Learn More:


Persistent Variant:

Stored Client Controlled User Identifier Manipulation

Also Known As:
Persistent Client Controlled User Identifier Manipulation

Typical Severity:
Critical

Resources:

White Papers:

Learn More:


Session Variant:

Client Controlled User Identifier Manipulation via Session Poisoning

Also Known As:
Session Client Controlled User Identifier Manipulation

Typical Severity:
Critical

Resources:

White Papers:

Learn More: