Testing web applications for security vulnerabilities is critical. However, many web applications owners overlook to test the security aspects leaving it vulnerable to malicious attacks.
One of the most common threats comes from parameter tampering vulnerabilities.
So what is parameter tampering vulnerability?
It is manipulating the parameters exchanged between client and server in order to modify the application data such as user credentials, permissions, price, the quantity of products etc. it can be done by:
- Manipulating the parameter in the query string
- Intercepting data through Burp suite
- Attacking the proxies (Man in the middle)
- Using plugins to view data
In this video, we demonstrate a live example of parameter tampering vulnerability in one of the largest online food delivery portals.
The video shows how easy it can be for a malicious user or hacker to manipulate the order value by tempering with the parameters.
In the video, we place an order using a credit card.
In the payment window, we were able to change the parameter that holds the order value. In this case, the vulnerability allows the hacker to change the product price while making payment.
What can a site do to prevent parameter tampering vulnerability?
The following steps can help limit this vulnerability:
- The forms on the site should have some built-in protection
- Using regex to limit or validate data
- Server-side validation compared with all inputs
- Avoid unwanted or hidden data
- Don’t allow interception
Qualitrix testing solution powered by managed crowd testing model is designed to ensure that your web application gets tested thoroughly from all angles so that its behavior is completely predictable in the real world.
Read more about our web application testing solution.