Skip to content

CWE-642: External Control of Critical State Data

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that application state or security-critical decisions are controlled by client-supplied parameters. Evidence includes successful privilege escalation by modifying parameters like ?role=admin, price manipulation via ?price=0.01, or access control bypass via ?is_authenticated=true. Responses show that server-side state trusts client-provided values without validation.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-642 typically indicate that client-supplied data was trusted as authoritative state at runtime, such as:

  • Authorization or role decisions derived from request data
  • Pricing, quantity, or account identifiers accepted from the client
  • Session or permission state influenced by hidden fields, cookies, or request bodies

Evidence is based on observed runtime behavior, not on specific request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-642 does not map to a single vulnerable endpoint or parameter. The issue resides in how the application defines and enforces ownership of critical state.

When tracing this issue in code, review:

  • Business logic that trusts client-provided identifiers or flags
  • Authorization decisions based on request data
  • State transitions derived from hidden fields, cookies, or request bodies
  • Server logic that fails to recompute or validate security-sensitive state

Remediation

Core Principle: Never allow client-supplied data to define or modify critical application state; all security-sensitive state must be derived and enforced exclusively by the server.

Verification and Follow-Up Testing

After applying the fix:

1. Verify State Ownership

  • Confirm critical state is computed and enforced server-side
  • Ensure client input cannot directly modify roles, permissions, prices, or identities

2. Test Edge Cases

  • Alternate workflows and business logic paths
  • Multi-step flows (checkout, profile updates, role changes)
  • Error handling and fallback behavior

Re-run DAST Scanner

Re-run the dynamic scanner to confirm client-controlled state manipulation is no longer observed.

Additional Resources