SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-642 External Control of Critical State Data

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged critical state being controlled by external input (request params/body/cookies) without strong verification. "Critical state" includes role, account ID, price, workflow state, or security flags.

Why it matters

External control of state can bypass security logic.

Safer examples

1) Keep critical state server-side

Look up roles, permissions, pricing, and workflow state from the server/database.

2) Use signed tokens where appropriate

If state must be carried in a token, sign it and validate signature + claims (see JWT01 / CWE-347).

3) Enforce allowed state transitions

Validate transitions server-side and reject invalid transitions (see B01 / A11).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.