Testing web applications for security vulnerabilities is critical. However, many web applications owners overlook to test website security leaving it vulnerable to malicious attacks.
One of the most common threats comes from web parameter tampering vulnerabilities.
What is Parameter Tampering Vulnerability?
The Parameter Tampering Vulnerability is a web-based attack intended as a business security threat that involves another party’s unauthorized manipulation and tampering with the website’s URL, web-page form or other parameters. It is manipulating the parameters exchanged between client and server in order to modify the application data such as user credentials, permissions, price, the quantity of products, etc.
There are various instances of malicious attacks by users who aim to exploit an application and its related data. This method of web tampering is done either for personal or a third-party’s benefits, with the intention to retrieve data that is otherwise not accessible to anyone visiting the website or application.
It can be done by:
- Manipulating the parameter in the query string
- Intercepting data through Burp suite
- Attacking the proxies (Man in the middle)
- Using plugins to view data
In this video, we demonstrate a live example of parameter tampering vulnerability in one of the largest online food delivery portals.
The video shows how easy it can be for a malicious user or hacker to manipulate the order value by tempering with the parameters.
In the video, we place an order using a credit card.
In the payment window, we were able to change the parameter that holds the order value. In this case, the vulnerability allows the hacker to change the product price while making payment.
How to prevent parameter tampering?
The following steps can help limit this vulnerability:
- The forms on the site should have some built-in protection
- Using regex to limit or validate data
- Server-side validation compared with all inputs
- Avoid unwanted or hidden data
- Don’t allow interception
Qualitrix web security testing solution powered by managed crowd testing model is designed to ensure that your web application gets tested thoroughly from all angles so that its behavior is completely predictable in the real world.
Read more about our web application testing solution.