Parameter Tampering

Overview

In parameter tampering attacks the attacker modifies data used by the website in the hope of affecting the operation of the site. If successful, the attacker may be able to increase access levels, buy products at a discount, etc.

What makes a site vulnerable?

A site is vulnerable to parameter tampering if it relies on data which has been placed under the control of the user’s browser. Examples of these are hidden HTML fields, url parameters, cookie data, etc. The site may have generated these values and may expect them to come back in their original form. However, this is not necessarily going to be the case as an attacker can easily modify any of this data (even though it may not be immediately modifiable by a standard user).

Impact of the attack

The impact of the attack will depend on what the data is used for. The site may use such 'hidden' data to determine user access levels, product prices, etc. By being able to modify these, that attacker may be able to increase his access rights, buy products at a discount, and so on.

Preventing the attack

Parameter tampering results from the design of the website rather than from the language in which it is written (be that PHP, Perl, Python or something else). As a result only redesign of the application can prevent the values of the parameters from being tampered. The parameters should never pass through the user's browser where they could be stored on the server instead. For instance, rather than passing information between pages using hidden HTML fields, it could be stored in session variables. These session variables do not leave the server and will therefore not be vulnerable in the same way to modification by attackers.

Where it is necessary for the parameters to be stored on the user's client, the design of the application must assume the worst. Specifically, it should operate correctly in the face of user modification of each and every parameter stored on the client. This means that the only parameters which should ever be stored on the user's client are ones which the user is allowed to fully modify (e.g. style preferences) or ones which are of no consequence should they be modified (again, style preferences spring to mind).