The Parameter tampering attack is a web-based attack which involves manipulating parameters exchanged between the client and server to alter application data, such as user credentials, permissions, product prices, or quantities.
This information is typically stored in cookies, hidden form fields, or URL Query Strings to enhance application functionality and control.
Malicious users may exploit this attack to benefit themselves, while attackers might use it in an Man-in-the-Middle attack to target a third party.
The success of this attack relies on errors in integrity and logic validation mechanisms. Its exploitation can lead to various consequences, including but not limited to XSS, SQL Injection, file inclusion, and path disclosure attacks.
Parameter tampering can often be done with:
Cookies
Form fields
HTTP headers
URL query strings
What are the impacts of parameter tampering attack?
Parameter tampering can be performed in several ways resulting in data disclosure to server-side attacks.
1. Cookie manipulation
A cookie is a small piece of information usually created by the web server and stored in the web browser. They are used as a convenient mechanism to store user preferences and other data including session tokens.
The cookies can be modified by the client and sent to the server with URL requests. Therefore, any malicious user can take advantage of this to modify cookie content.
For example:
Cookie: ASP.NET_SessionId=c12ylm55kp3uirruo4is5sm5; lang=en-us; ADMIN=no; y=1 ;
The attacker can modify the cookie to:
Cookie: ASP.NET_SessionId=c12ylm55kp3uirruo4is5sm5; lang=en-us; ADMIN=yes; y=1 ;
2. Form fields
The form field manipulation occurs when an attacker tries to alter the behavior of a form by illegitimately changing the data sent to the web server.
When a user makes selections on an HTML page, they are usually stored as form field values and sent to the web application. These values can be pre-selected using combo box, checkbox, radio button, etc., free text or hidden.
All of these values can be manipulated by an attacker by viewing the source code of the web application.
Hidden fields are parameters invisible to the end-user, which includes data that cannot be seen or modified by the users when submitting the form, and it is normally used to provide status information to the web application.
Suppose a form was used for making a purchase. Here’s an example that includes a “hidden” field:
<input type=”hidden” id=”1211” name=”cost” value=”700.0”>
An attacker can change this value to 70.00 and it will cause the web application to charge according to the new amount as shown below.
<input type=”hidden” id=”1211” name=”cost” value=”70.0”>
3. URL manipulation
When the URL passes sensitive values through parameters, the attacker can tamper this query string and perform malicious actions.
For example, suppose a web page allows an authenticated user to select one of his/her accounts from a combo box and then debit the account with a fixed unit amount. The following URL is requested:
The attacker can manipulate this URL to credit a higher amount to another account as shown below:
```http://www.example.com/transfer.asp?accountnumber=230006534559888&creditamount=1000 ```
### 4. HTTP headers
The referrer header, which is included in the HTTP request header, normally contains the URL of the web page from which the request originated.
Some websites use this referrer header in order to make sure that the request originated from a page generated by them and also to identify where people are visiting them from. These data can be used for analytics, logging, or optimized caching.
But sometimes attackers will be able to modify the referer header to look like it came from the original site.
Assuming a string consisting of alphanumeric characters which may be a username, such as “John Smith”, is submitted in the request, the HTTP response including this cookie might take the following form:
```plaintext
HTTP/1.1 200 OK
...
Set-Cookie: user=John Smith
…
If an attacker submits a malicious string, such as “John Hacker\r\nHTTP/1.1 200 OK\r\n…”,
then the HTTP response would be split into two responses of the following form:
HTTP/1.1 200 OK
...
Set-Cookie: user=John Hacker
HTTP/1.1 200 OK
…
The attacker will have complete control over the second response and can be constructed with any header and body content desired.
The ability of an attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including cross-user defacement, web and browser cache poisoning, cross-site scripting, and page hijacking, etc.
How can you prevent parameter tampering attack?
Preventing parameter tampering involves implementing robust security measures to safeguard the integrity of data exchanged between the client and server. Here are some effective strategies:
1. Data validation
Implement strict input validation on the server side to ensure that only expected and valid data is processed.
Use whitelisting approaches to validate input rather than blacklisting, which can be prone to overlooking certain input patterns.
2. Use of HTTPS
Employ secure communication channels such as HTTPS to encrypt data in transit, preventing attackers from intercepting and modifying information.
3. Session management
Implement secure session management practices, including the use of secure, random session tokens and regular session rotation.
4. Digital signatures
Apply digital signatures to data to ensure its integrity. This involves generating a hash value for the data and signing it with a secret key. The server can then verify the signature upon receiving the data.
5. Parameter encryption
Encrypt sensitive parameters before sending them to the client. This adds an extra layer of protection, making it difficult for attackers to tamper with the encrypted data.
6. Client-side security controls
Employ client-side security controls, such as input validation and sanitization, to detect and prevent tampering attempts before the data reaches the server.
7. Implementing integrity checks
Use checksums or hash functions to check the integrity of the received data. If the data has been tampered with, the checksum or hash value will not match the expected value.
8. Security awareness and training
Educate developers, administrators, and users about the risks associated with parameter tampering and best practices for preventing such attacks.
9. Regular security audits
Conduct regular security audits and penetration testing to identify and address vulnerabilities in the application, including potential points of parameter tampering.
10. Web Application Firewalls (WAF)
Employ a Web Application Firewall that can help detect and block malicious activities, including parameter tampering, by analyzing the traffic and patterns.
By combining these preventive measures, organizations can significantly enhance their defenses against parameter tampering attacks and ensure the integrity of the data exchanged between clients and servers.
