Categories
Application Security

Parameter Tampering

What is Parameter Tampering?

Parameter tampering is a type of web-based cyberattack where the parameters exchanged between client and server are manipulated in order to modify application data. Application data such as user credentials, permissions, and prices and quantities of products are often stored in cookies, hidden form fields, or URL Query Strings to increase application control and functionality. Many programmers rely on hidden or fixed form fields as the only security measure for certain operations, making it easy for cyberattackers to modify those parameters to bypass related security mechanisms.

Parameter tampering can be employed by cyberattackers for the purpose of obtaining personal or business information about the user for their own benefit or to attack a third person through a man-in-the-middle (MITM) attack. The following are examples of parameter tampering:

Form fields. Form field parameter modification is a typical form of parameter tampering. With form fields, a user on an application page has form field values that they can select, such as a combo box or check box. When a user submits these values, they could be acquired and manipulated by a cyberattacker.

Hidden fields. Applications using hidden fields to store status information such as e-commerce sites using hidden fields to refer to their items, can have those stored values on their browser tampered with. Consider that hidden fields may look something like this:

<input type=”hidden” id=”1010 name=”cost” value=”80.00”>

With hidden field parameter tampering, a cyberattacker could manipulate the “value” information in order to reduce the cost of a particular item.

URLs. Cyberattackers can tamper with URL parameters directly in order to manipulate or remove information. Consider that a combo box can be used in an application that allows a user to select their profile and debit the account may look something like this:

http://www.yourownbank.com/default.asp?profile=852&debit=1500

If an attacker tampered with this URL, values could be changed to look like this:

http://www.yourownbank.com/default.asp?profile=250&debit=2500

Beyond value manipulations, cyberattackers can manipulate attribute parameters such as status variables, allowing a page to be deleted from the server. Consider the following example:

http://www.yourownbank.com/savepage.asp?nr=450&status=read

can be changed to this in order to delete the page from the server:

http://www.yourownbank.com/savepage.asp?nr=450&status=del

Parameter tampering can be prevented through:

Access control checks. Applications should perform access control checks to ensure that requests for objects or services are being requested by authorized users. This can be achieved by using instance-based security features that specify access control lists applicable to domain objectives, store data values in session on render time and check the receives values with stored values on submission time, and check the database to ensure that the data sent by the user is authentic.

Input validation. Server side validation to check user input can help to detect instances of interference, hidden data, or unwanted data.