State Variable Manipulation

• The HTTP protocol is stateless
• A number of different mechanisms are used to store state:
  • Cookies
  • Hidden fields
  • Parameters
    http://www.victim.com?param1=x&param2=y&param3=z
    
• These entities are typically not protected
• Attackers can manipulate these entities to alter their identity or authorization

• PreviousScripting Guidelines
• Contents
• NextCross-site Scripting

 Last change: Tuesday, June 1, 2004 12:50 am
 Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.