A parameter tampering vulnerability occurs when an attacker can modify parameters used by a web application that have security implications. For example, a vulnerable application might allow an attacker to change their user id by changing request parameters. The vulnerability stems from relying on user-accessible parameters to store security sensitive information. Common vulnerable areas are data stored in cookies, hidden form fields, and HTTP request parameters. This vulnerability type applies to web applications.
The exact impact of parameter tampering depends on the parameters that are available for tampering. This vulnerability usually allows the attacker to change their status from regular user to admin. In that case, the attacker is able to take full control of the application and its data. Another common impact is that the attacker is able to change their user id to that of another user. In that case the attacker can access and modify the user's data and impersonate that user. Parameter tampering usually allows the attacker to impersonate any user of their choosing.
To prevent this problem, use platform provided session management, don't store sensitive data in user accessible parameters, and use strong session identifiers.
Use platform-provided session management:
Don't store sensitive data in user accessible parameters:
Use strong session identifiers:
To check for adequate protection against this vulnerability, ensure that platform provided session management is used, sensitive data is not stored in user accessible parameters, and strong session identifiers are used. Identify all user-mutable parameters and verify that tampering with them does not result in elevated privileges.
Platform-provided session management is used:
Sensitive data is not stored in user accessible parameters:
Strong session identifiers are used:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
Fundamentals of Web 2.0 Security
This course introduces you to the fundamentals of secure Web 2.0 development. The course begins with a discussion about Web 2.0, its evolution, and the technologies behind it. The course describes common Web 2.0 attacks that can cause significant loss to organizations. It reviews the best practices that you should incorporate to mitigate the risks from Web 2.0 attacks, as well as practices to avoid. The course concludes with a walk-through of a software system scenario that can help you better understand Web 2.0 attacks and apply the best practices discussed in the course.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.