A cut-and-paste attack is an assault on the integrity of a security system in which the attacker substitutes a section of ciphertext (encrypted text) with a different section that looks like (but is not the same as) the one removed. The substituted section appears to decrypt normally, along with the authentic sections, but results in plaintext (unencrypted text) that serves a particular purpose for the attacker. Essentially, the attacker cuts one or more sections from the ciphertext and reassembles these sections so that the decrypted data will result in coherent but invalid information. Cut-and-paste is a type of message modification attack: the attacker removes a message from network traffic, alters it, and reinserts it. This is called an active attack, because it involves an attempts to change information; in comparison, a passive attack, such as password sniffing, seeks information but does not itself modify the valid information, although it may be used in conjunction with an active form of attack for various purposes.
When the data modified in the attack involves critical enterprise or personal information, the cut-and-paste attack can pose a serious threat to security. A typical use for a cut-and-paste attack is the modification of information on a customer order form for the purchase of goods or services over the Web. The attacker modifies the form so that the victim's credit card number is sent to the vendor but other information - such as the attacker's chosen delivery address and the type or quantity of goods ordered - is "pasted" into the form which the customer's valid information has been "cut". The apparently unaltered form, assembled from a "cut-and-pasted" combination of valid and invalid data, is submitted to the vendor.