What is parameter testing?
A parameter tampering attack targets a web application's business logic. It is employed by malicious users looking to exploit the application for their own benefit. Some attackers also use parameter tampering to launch a man-in-the-middle (MitM) attack.
Since the attack is based on manipulating the parameters exchanged between a client and server, it enables bad actors to modify application data, including user credentials, user permissions and even the number, quantity or price of products listed on a website.
This data, stored in URL query strings, hidden form fields, Hypertext Transfer Protocol (HTTP) headers or cookies, is required to expand a web application's control and functionality. However, through parameter tampering, a bad actor such as an identity thief can manipulate this data to surreptitiously obtain personal or business information about the user.
The impact of parameter tampering
The impact of parameter tampering depends on the type of parameter being manipulated. Four such parameters and their impact are explained below.
-
Impact of manipulating URL query strings
Query strings are typically used in web applications to pass data from the client to the server through parameters, add data calls to a hyperlink and display that information on the linked page. Attackers may tamper with the URL query string to perform malicious actions, such as stealing data. By manipulating query strings, they can access information from a database, understand the architecture of a web application or even execute commands on the web server. -
Impact of manipulating HTTP POST data
Since query strings are fairly simple, many web applications use the POST method to pass data between pages. POST data is not displayed by browsers, so it is considered a safe way to retrieve information. However, attackers can still modify the data to gain access to sensitive information. -
Impact of manipulating HTTP headers
Headers are commonly used by HTTP requests and responses to deliver information about the HTTP message. A referer header is included in the HTTP request header. It contains the URL of the webpage from which the request originated and enables websites to identify the location of visitors. This data can be used to optimize caching and for analytics and logging.
Attackers can modify the referer header to make it look like it came from the original site. By submitting a malicious string, they can construct arbitrary HTTP responses and launch many kinds of attacks, including cross-user defacement or web and browser cache poisoning. They may also hijack pages or initiate cross-site scripting attacks. -
Impact of manipulating website cookies
A website cookie is a small piece of information stored in the web browser. The web server creates cookies to store user preferences and other data, such as timestamps and session tokens.
An attacker can modify or poison a cookie to bypass authentication in order to access a user's account and view, manipulate or exfiltrate sensitive data