Parameter tampering
Parameter tampering
(also query string manipulation, form field manipulation, cookie poisoning)
Parameter tampering definition
Parameter tampering, query string manipulation, form field manipulation, or cookie poisoning is a cyber threat where an attacker manipulates the parameters exchanged between the client and server to alter application data. For example, this could involve manipulating user credentials, permissions, price values, and quantities. Cybercriminals often take advantage of insufficient input validation, so this technique allows them to exploit the application in ways not originally intended.
See also: man-in-the-middle attack, session hijacking, XSS
Parameter tampering examples
- E-commerce fraud: In a scenario where an attacker alters the price or quantity of items in a shopping cart, leading to substantial financial losses for the e-commerce business.
- Identity theft: Attackers could manipulate user ID values within the browser, thereby gaining unauthorized access to other users’ accounts.
Advantages and disadvantages of parameter tampering
Pros:
- From an attacker’s perspective, parameter tampering is an uncomplicated yet effective method to exploit vulnerabilities in web applications and perform unauthorized actions.
Cons:
- From the application’s viewpoint, parameter tampering can lead to significant data exposure, unauthorized access, or severe loss if not appropriately mitigated.
Mitigating parameter tampering
- Implement strong input validation: It’s crucial to validate all user-supplied data, preferably on the server side, to prevent tampering.
- Adopt encrypted session tokens: Using encrypted session tokens to manage user sessions can be more secure than relying on easily manipulated parameters.