Parameter tampering can occur when web applications transmit important data to the client expecting the value to be returned on the next query. This is called round-tripping. This is done as a convenience to the developer typically because it is considered too difficult to maintain these values in a server session construct. The risk round-tripping incurs is manipulation on the client. Often these values are stored in cookies, hidden form fields, or url parameters which an attacker can easily modify. If the server code also does not validate the information received from the client then unexpected behaviour may result.
Impact
The impact of Parameter Tampering attacks can be significant if sensitive information sent to the client is manipulated without the server software aware of the change. For example, if an attacker manipulates the cost of a piece of merchandise listed on a web page to be cheaper than what was originally sent to the client then the shop looses money.
Testing for Parameter Tampering
Testing for Parameter Tampering can have a blackbox testing and whitebox unit testing components. In the blackbox testing environment its important to recognize parameters that are round-tripped from server to client and back to server without change. Once recognized that tester/attacker can attempt to manipulate each round-tripped parameter to see how the server responds. In the whitebox unit test case, it a case of generating requests to server code to determine if validation occurs, this can be by using code that returned know changed data and expects and error HTTP response code to validate that the server recognized the manipulations.
Want to check your projects for free?
Examples
In the example below a web application has used a hidden form field to store the price of an item. Although hidden form fields are not displayed in the browser they are easily discovered by looking at the source code.
<input type="hidden" name="some_price" value="33.98">Fixes for Java
Implement server-side checks that restrict the current user to view only authorized records and/or data. Do not rely on user-supplied input or client-side cookies to retrieve information from back-end data stores without first performing appropriate validation and authorization checks.
Tales
Tampering with Order Quantity leads to business loss: HackerOne Example
Tampering with API Parameters: Account takeover through parameter tampering
References
CWE-472: External Control of Assumed-Immutable Web Parameter
