This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Argument Injection or Modification"

Jump to: navigation, search
(Example 1)
(22 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Web Parameter Tampering]]
[[Category:OWASP ASDR Project]]
[[ASDR Table of Contents]]__TOC__
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Argument Injection or Modification is a type of Injection attack. Modifying or injecting data as an argument may lead to very similar, often the same, results as in other injection attacks. It makes no difference if the attacker wants to inject the system command into arguments or into any other part of the code.
==Risk Factors==
==Examples ==
===Example 1===
Knowing pseudo code of the application, the attacker may guess what action is required by the application to perform another one, for example, what must be done to authorize the attacker as the administrator.
Reading the code below the attacker doesn't know the values of $pass and $login. The question is - is there possiblity of altering value of $authorized not knowing previously mentioned variables?
if($pass = "XXX" and $login = "XXX") { $authorized = 1; }
if($authorized == 1) { admin_panel(); }
If server configuration allows for that, we may try to pass argument $authorized=1 as input data to application.
E.g. /index.php?user=&pass=&authorized=1
===Example 2===
If security mechanism doesn't protect data as it should, e.g. doesn't check the identity of the user and private data are displayed to him despite of fact they shouldn't, then such user may try to alter arguments and get access to data owned by a different user.
E.g. By entering address user is able to check one of his invoices. Modifying "invoice" argument, considering above assumptions, the attacker may try to access other user's invoices. Usefull to the attacker in this example would be performing a brute-force attack.
==Related [[Threat Agents]]==
* [[:Category:Command Execution]]
==Related [[Attacks]]==
* [[Command Injection]]
* [[Code Injection]]
* [[SQL Injection]]
* [[LDAP Injection]]
* [[SSI Injection]]
* [[XSS]]
==Related [[Vulnerabilities]]==
* [[:Category:Input Validation Vulnerability]]
==Related [[Controls]]==
* validation of the format / expected classes of charachetrs / input/output data size
[[Category: Injection]]

Latest revision as of 00:41, 23 January 2013

Web Parameter Tampering