Parameter tampering is a simple attack targeting the application business logic. This attack takes advantage of the fact that many programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in a URL) as the only security measure for certain operations. Attackers can easily modify these parameters to bypass the security mechanisms that rely on them.
The basic role of Web servers is to serve files. During a Web session, parameters are exchanged between the Web browser and the Web application in order to maintain information about the client’s session, eliminating the need to maintain a complex database on the server side. Parameters are passed through the use of URL query strings, form fields and cookies.
A classic example of parameter tampering is changing parameters in form fields. When a user makes selections on an HTML page, they are usually stored as form field values and sent to the Web application as an HTTP request. These values can be pre-selected (combo box, check box, radio button, etc.), free text or hidden. All of these values can be manipulated by an attacker. In most cases this is as simple as saving the page, editing the HTML and reloading the page in the Web browser.
Hidden fields are parameters invisible to the end user, normally used to provide status information to the Web application. For example, consider a products order form that includes the following hidden field:
<input type=”hidden” name=”price” value=”59.90″>
Modifying this hidden field value will cause the Web application to charge according to the new amount.
Combo boxes, check boxes and radio buttons are examples of pre-selected parameters used to transfer information between different pages, while allowing the user to select one of several predefined values. In a parameter tampering attack, an attacker may manipulate these values. For example, consider a form that includes the following combo box:
<FORM METHOD=POST ACTION=”xferMoney.asp”>
Source Account: <SELECT NAME=”SrcAcc”>
<BR>Amount: <INPUT NAME=”Amount” SIZE=20>
<BR>Destination Account: <INPUT NAME=”DestAcc” SIZE=40>
<BR><INPUT TYPE=SUBMIT> <INPUT TYPE=RESET>
An attacker may bypass the need to choose between only two accounts by adding another account into the HTML page source code. The new combo box is displayed in the Web browser and the attacker can choose the new account.
HTML forms submit their results using one of two methods: GET or POST. If the method is GET, all form parameters and their values will appear in the query string of the next URL the user sees. An attacker may tamper with this query string. For example, consider a Web page that allows an authenticated user to select one of his/her accounts from a combo box and debit the account with a fixed unit amount. When the submit button is pressed in the Web browser, the following URL is requested:
An attacker may change the URL parameters (accountnumber and debitamount) in order to debit another account:
There are other URL parameters that an attacker can modify, including attribute parameters and internal modules. Attribute parameters are unique parameters that characterize the behavior of the uploading page. For example, consider a content-sharing Web application that enables the content creator to modify content, while other users can only view content. The Web server checks whether the user that is accessing an entry is the author or not (usually by cookie). An ordinary user will request the following link:
An attacker can modify the mode parameter to readwrite in order to gain authoring permissions for the content.