Parameter Tampering — What is it ?

Hello Readers!! My self Prem Patel.

On the regular basis I return across therefore many bugs in particular web site. For this specific bug, I was looking out on google for one product and I found this website where I can attempt parameter changing bug by doing value manipulation. So, perform this on that web site however before it let’s walk through the basics of Parameter Tempering.

Basics of Parameter Tampering

The Web Parameter Tampering attack relies on the manipulation of parameters exchanged between client and server in order to switch application data, like user credentials and permissions, worth and quantity of merchandise, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is employed to extend application functionality and management.

This attack will be performed by a malicious user who needs to take advantage of the application for his or her own benefit, or an attacker who wishes to attack a 3rd-person using a Man-in-the-middle attack.

The attack success depends on integrity and logic validation mechanism errors, and its exploitation will end in other consequences together with XSS, SQL Injection, file inclusion, and path disclosure attacks.

Now let’s do practice on a eCommerce web-application.

To start with, we are going to manipulate price of a one product. So, the first step is we have to add one item where we want to perform parameter tampering.

To change the price I have to first start intercept on before add item to the cart. And then we can able to see that one requesting is come up with actual price of the product as seen in below image.

Whenever we find a request with a same price we have to change it with our price and forward the request.

At some point of time you will able to find price has change to our price and it will show in the cart section.

After passing too many request you will able to find a payment getway page where QR code shown for confirm your order.

If you are able to see the price you have changed in request in QR code than boom! we have manipulate the price of the product. As Iwas able to do it in this website.

So, from the above example hope you can understand how risky is to remain some bug like this. It has several impacts.

I have also add information on how to prevent it. Let’s look at through it.

How to Prevent Parameter Tampering

There are several strategies that developers and administrators can implement to prevent parameter tampering.

These strategies range from proper input validation to the implementation of security measures like web application firewalls. Let’s explore the best practices for preventing parameter tampering.

Input Validation

Robust server-side input validation is essential for preventing parameter tampering. Applications can defend against malicious tampering attempts when all input meets strict criteria before its processed.

Input validation involves checking that the data submitted by the user conforms to expected patterns, such as alphanumeric strings for usernames. Any input that does not meet these criteria should be rejected outright.

Using HTTP POST

While GET requests are convenient for simple data retrieval, they are also more susceptible to tampering due to their visible nature in the URL. Using HTTP POST requests for any action that involves data changes can add an extra layer of security, as the parameters are not displayed in the URL.

POST requests encapsulate the data within the body of the request, making it less accessible to would-be attackers. This is particularly important for forms that handle sensitive information or perform critical operations.

Implementing a WAF

A web application firewall acts as a gatekeeper between the user and the application, inspecting incoming traffic for malicious activity. A well-configured WAF can detect and block parameter tampering attempts, providing a strong barrier against this type of attack.

By filtering out requests that contain suspicious parameter manipulations, WAFs play a crucial role in the defense strategy of any web application.