sites will normally track a users state through the use of cookies or

hidden HTML form fields. However, when tracking is stored on the

client side within the web browser, the integrity of the data must be

verified. If not, an attacker may be able to circumvent the expected

traffic flow by altering the current state.

Example

An online shopping cart system may offer to the user a discount if

product A is purchased. The user may not want to purchase product

A, but product B. By filling the shopping cart with product A and

product B, and entering the checkout process, the user obtains the

discount. The user then backs out of the checkout process, and

removes product A, or simply alters the values before submitting to

the next step. The user then reenters the checkout process, keeping

the discount already given in the previous checkout process with

product A in the shopping cart, and obtains a fraudulent purchase

price.

References

 Dos and Don'ts of Client Authentication on the Web , Kevin Fu, Emil

Sit, Kendra Smith, Nick Feamster   MIT Laboratory for Computer

Science

http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

61

Copyright 2004, Web Application Security Consortium. All rights reserved.