This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Web Parameter Tampering"
Weilin Zhong (talk | contribs) |
|||
| Line 1: | Line 1: | ||
{{Template:Attack}} | {{Template:Attack}} | ||
| + | |||
==Description== | ==Description== | ||
| + | |||
| + | Web Parameter Tampering attack is based on manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields and URL Query Strings and is used to increase application functionality and control. | ||
| + | |||
| + | This attack can be performed in the context of a malicious user who wants exploit the application for its own behalf or an attacker who whishes to attack a third-person using Man in the Middle attack. In both cases, tools likes Webscarab and Parosproxy are mostly used. | ||
| + | |||
| + | The attack success depends on integrity and logic validation mechanisms errors and its exploitation can result on others consequences including XSS, SQL Injection, file inclusion and path disclosure attacks. | ||
| + | |||
==Examples == | ==Examples == | ||
| + | |||
| + | === Example 1=== | ||
| + | |||
| + | The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack. | ||
| + | |||
| + | For example, consider a user can select form fields values (combo box, check box, etc.) on an application page. When these values are submitted by user, they could be acquired and arbitrarily manipulated by an attacker. | ||
| + | |||
| + | |||
| + | === Example 2=== | ||
| + | |||
| + | When a web application uses hidden fields to store status information, a malicious user can tamper the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer its items, as follows: | ||
| + | |||
| + | <input type=”hidden” id=”1008” name=”cost” value=”70.00”> | ||
| + | |||
| + | In this example, an attacker can modify the “value” information of a specific item, thus lowering its costs. | ||
| + | |||
| + | |||
| + | === Example 3=== | ||
| + | |||
| + | An attacker can tamper URL parameters directly. For example, consider a web application that permits user to select his profile from a combo box and debit the account: | ||
| + | |||
| + | <nowiki>http://www.attackbank.com/default.asp?profile=741&debit=1000</nowiki> | ||
| + | |||
| + | In this case, an attacker could tamper that URL using other values for profile and debit: | ||
| + | |||
| + | <nowiki>http://www.attackbank.com/default.asp?profile=852&debit=2000</nowiki> | ||
| + | |||
| + | Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper status variable and delete a page from the server: | ||
| + | |||
| + | <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=read</nowiki> | ||
| + | |||
| + | Modifying status variable to delete the page: | ||
| + | |||
| + | <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=del</nowiki> | ||
| + | |||
| + | |||
| + | ==External References== | ||
| + | |||
| + | http://cwe.mitre.org/data/definitions/472.html - Web Parameter Tampering | ||
| + | |||
| + | http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html - Parameter Tampering Imperva - Application Defense Center | ||
| + | |||
| + | http://www.cgisecurity.com/owasp/html/ch11s04.html - Parameter Manipulation - Chapter 11. Preventing Common Problems | ||
| + | |||
==Related Threats== | ==Related Threats== | ||
| + | |||
| + | [[:Category:Authorization]] | ||
| + | |||
| + | [[:Category:Client-side Attacks]] | ||
| + | |||
| + | [[:Category:Logical Attacks]] | ||
| + | |||
==Related Attacks== | ==Related Attacks== | ||
| + | |||
| + | *[[SQL Injection]] | ||
| + | |||
| + | *[[XSS Attacks]] | ||
| + | |||
| + | *[[Path Traversal]] | ||
| + | |||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
| + | |||
| + | [[:Category: Input Validation Vulnerability]] | ||
| + | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
| − | [[:Category:Input Validation]] | + | |
| + | [[:Category: Input Validation Vulnerability]] | ||
| + | |||
==Categories== | ==Categories== | ||
| − | + | [[:Category: Resource Manipulation]] | |
| − | [[Category: | + | [[:Category: Injection]] |
Revision as of 13:21, 17 August 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
Web Parameter Tampering attack is based on manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields and URL Query Strings and is used to increase application functionality and control.
This attack can be performed in the context of a malicious user who wants exploit the application for its own behalf or an attacker who whishes to attack a third-person using Man in the Middle attack. In both cases, tools likes Webscarab and Parosproxy are mostly used.
The attack success depends on integrity and logic validation mechanisms errors and its exploitation can result on others consequences including XSS, SQL Injection, file inclusion and path disclosure attacks.
Examples
Example 1
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack.
For example, consider a user can select form fields values (combo box, check box, etc.) on an application page. When these values are submitted by user, they could be acquired and arbitrarily manipulated by an attacker.
Example 2
When a web application uses hidden fields to store status information, a malicious user can tamper the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer its items, as follows:
<input type=”hidden” id=”1008” name=”cost” value=”70.00”>
In this example, an attacker can modify the “value” information of a specific item, thus lowering its costs.
Example 3
An attacker can tamper URL parameters directly. For example, consider a web application that permits user to select his profile from a combo box and debit the account:
http://www.attackbank.com/default.asp?profile=741&debit=1000
In this case, an attacker could tamper that URL using other values for profile and debit:
http://www.attackbank.com/default.asp?profile=852&debit=2000
Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper status variable and delete a page from the server:
http://www.attackbank.com/savepage.asp?nr=147&status=read
Modifying status variable to delete the page:
http://www.attackbank.com/savepage.asp?nr=147&status=del
External References
http://cwe.mitre.org/data/definitions/472.html - Web Parameter Tampering
http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html - Parameter Tampering Imperva - Application Defense Center
http://www.cgisecurity.com/owasp/html/ch11s04.html - Parameter Manipulation - Chapter 11. Preventing Common Problems
Related Threats
Related Attacks
Related Vulnerabilities
Category: Input Validation Vulnerability
Related Countermeasures
Category: Input Validation Vulnerability
