CWE-565
AllowedReliance on Cookies without Validation and Integrity Checking
Abstraction: Base · Status: Incomplete
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
95 vulnerabilities reference this CWE, most recent first.
GHSA-RC4Q-9M69-GQP8
Vulnerability from github – Published: 2021-05-17 20:53 – Updated: 2021-05-17 20:29Impact
Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.
Patches
Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.
The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.
Workarounds
None available.
References
- https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
- https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf
Credits
This vulnerability was found by Xhelal Likaj xhelallikaj20@gmail.com.
For more information
If you have any questions or comments about this advisory: * Open an issue in fastify-csrf * Email us at hello@matteocollina.com
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fastify-csrf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29624"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-17T20:29:48Z",
"nvd_published_at": "2021-05-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsers that used fastify-csrf with the \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. \n\n### Patches\n\nVersion 3.1.0 of the fastify-csrf fixes it. \nSee https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.\n\nThe user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.\n\n### Workarounds\n\nNone available.\n\n### References\n\n1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html\n2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf\n\n### Credits\n\nThis vulnerability was found by Xhelal Likaj \u003cxhelallikaj20@gmail.com\u003e.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
"id": "GHSA-rc4q-9m69-gqp8",
"modified": "2021-05-17T20:29:48Z",
"published": "2021-05-17T20:53:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29624"
},
{
"type": "WEB",
"url": "https://github.com/fastify/csrf/pull/2"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-csrf/pull/51"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"
},
{
"type": "WEB",
"url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Lack of protection against cookie tossing attacks in fastify-csrf"
}
GHSA-RP6H-H28Q-45MQ
Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies.
{
"affected": [],
"aliases": [
"CVE-2018-20512"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-03T19:29:00Z",
"severity": "CRITICAL"
},
"details": "EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies.",
"id": "GHSA-rp6h-h28q-45mq",
"modified": "2022-05-13T01:51:04Z",
"published": "2022-05-13T01:51:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20512"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/networking/comments/abu4kq/vulnerability_in_cdata_technologies_epon_cpewifi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWW7-MM5M-VX73
Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2024-04-04 05:18Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.
{
"affected": [],
"aliases": [
"CVE-2023-32612"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-30T05:15:09Z",
"severity": "HIGH"
},
"details": "Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.",
"id": "GHSA-rww7-mm5m-vx73",
"modified": "2024-04-04T05:18:42Z",
"published": "2023-06-30T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32612"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN78634340"
},
{
"type": "WEB",
"url": "https://www.wavlink.com/en_us/firmware/details/932108ffc5.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2F2-VWC6-37GC
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-2615"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T20:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-v2f2-vwc6-37gc",
"modified": "2022-08-16T00:00:23Z",
"published": "2022-08-13T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2615"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1268580"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMHR-5QXJ-XVCM
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.
{
"affected": [],
"aliases": [
"CVE-2021-33842"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T12:15:00Z",
"severity": "HIGH"
},
"details": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.",
"id": "GHSA-vmhr-5qxj-xvcm",
"modified": "2022-10-26T12:00:32Z",
"published": "2022-05-24T19:04:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33842"
},
{
"type": "WEB",
"url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2M4-XQG7-PFHG
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.
{
"affected": [],
"aliases": [
"CVE-2018-19224"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-12T20:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.",
"id": "GHSA-w2m4-xqg7-pfhg",
"modified": "2022-05-13T01:19:45Z",
"published": "2022-05-13T01:19:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19224"
},
{
"type": "WEB",
"url": "https://github.com/AvaterXXX/laobanCMS/blob/master/1.md#unauthorized-access"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3W9-VRF5-8MX8
Vulnerability from github – Published: 2022-09-16 18:48 – Updated: 2022-09-16 18:48Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.
Patches
- https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in reactphp/http
v1.7.0
Workarounds
Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.
References
- CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0
- CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
- Originally introduced via https://github.com/reactphp/http/pull/175
Credits
- Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory
For more information
If you have any questions or comments about this advisory:
- Join the discussion
- Email us at support@reactphp.org
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "react/http"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36032"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T18:48:53Z",
"nvd_published_at": "2022-09-06T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIn ReactPHP\u0027s HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information. \n\n### Patches\n\n* https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in [reactphp/http `v1.7.0`](https://github.com/reactphp/http/releases/tag/v1.7.0)\n\n### Workarounds\n\nInfrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.\n\n### References\n\n* CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0\n* CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c\n* Originally introduced via https://github.com/reactphp/http/pull/175\n\n### Credits\n\n* Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Join the discussion](https://github.com/orgs/reactphp/discussions/465)\n* Email us at support@reactphp.org\n",
"id": "GHSA-w3w9-vrf5-8mx8",
"modified": "2022-09-16T18:48:53Z",
"published": "2022-09-16T18:48:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36032"
},
{
"type": "WEB",
"url": "https://github.com/reactphp/http/pull/175"
},
{
"type": "WEB",
"url": "https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2022-36032.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/reactphp/http"
},
{
"type": "WEB",
"url": "https://github.com/reactphp/http/releases/tag/v1.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "ReactPHP\u0027s HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent"
}
GHSA-W43V-QR8X-XQ75
Vulnerability from github – Published: 2022-06-30 00:00 – Updated: 2022-07-08 00:00Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
{
"affected": [],
"aliases": [
"CVE-2021-40642"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-29T11:15:00Z",
"severity": "MODERATE"
},
"details": "Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie\u0027s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.",
"id": "GHSA-w43v-qr8x-xq75",
"modified": "2022-07-08T00:00:43Z",
"published": "2022-06-30T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40642"
},
{
"type": "WEB",
"url": "https://github.com/textpattern/textpattern/commit/211fab0093999f59b0b61682aa988ac7d8337aa9"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/aadbe434-a376-443b-876f-2a1cbab7847b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WMRX-G8F2-RGWH
Vulnerability from github – Published: 2023-06-20 21:30 – Updated: 2024-04-04 04:59CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
{
"affected": [],
"aliases": [
"CVE-2023-35885"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-20T20:15:09Z",
"severity": "CRITICAL"
},
"details": "CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.",
"id": "GHSA-wmrx-g8f2-rgwh",
"modified": "2024-04-04T04:59:06Z",
"published": "2023-06-20T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35885"
},
{
"type": "WEB",
"url": "https://github.com/datackmy/FallingSkies-CVE-2023-35885"
},
{
"type": "WEB",
"url": "https://www.cloudpanel.io/docs/v2/changelog"
},
{
"type": "WEB",
"url": "https://www.datack.my/fallingskies-cloudpanel-0-day"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQX6-GHVG-724J
Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-09 21:31COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information.
{
"affected": [],
"aliases": [
"CVE-2021-47706"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T21:15:49Z",
"severity": "HIGH"
},
"details": "COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information.",
"id": "GHSA-wqx6-ghvg-724j",
"modified": "2025-12-09T21:31:49Z",
"published": "2025-12-09T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47706"
},
{
"type": "WEB",
"url": "https://www.commax.com"
},
{
"type": "WEB",
"url": "https://www.commax.com/product"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50206"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/commax-biometric-access-control-system-authentication-bypass"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Avoid using cookie data for a security-related decision.
Mitigation
Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Mitigation
Add integrity checks to detect tampering.
Mitigation
Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.
CAPEC-226: Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.