Difference between revisions of "Web Parameter Tampering"

From OWASP
Jump to: navigation, search
m (Spelling and grammar fixes)
(Description)
 
(11 intermediate revisions by one user not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
==Description==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
The Web Parameter Tampering attack is based on manipulation of parameters exchanged between client and server in order to modify application data such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields or URL Query Strings and is used to increase application functionality and control.
 
  
This attack can be performed in the context of a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third-person using a Man in the Middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used.
+
==Description==
 +
The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
  
The attack success depends on integrity and logic validation mechanism errors and its exploitation can result on other consequences including XSS, SQL Injection, file inclusion and path disclosure attacks.
+
This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a [[Man-in-the-middle attack]]. In both cases, tools likes Webscarab and Paros proxy are mostly used.
  
== Severity ==
+
The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including [[Cross-site Scripting (XSS)|XSS]], [[SQL Injection]], file inclusion, and path disclosure attacks.
  
High
+
For a short video clip describing the vulnerability, [http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1 click here] (Courtesy of [http://www.checkmarx.com/ Checkmarx])
 
+
== Likelihood of exploitation ==
+
 
+
Very High
+
  
 
== Examples ==
 
== Examples ==
Line 23: Line 21:
 
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack.  
 
The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack.  
  
For example, consider a user who can select form field values (combo box, check box, etc.) on an application page. When these values are submitted by user, they could be acquired and arbitrarily manipulated by an attacker.
+
For example, consider a user who can select form field values (combo box, check box, etc.) on an application page. When these values are submitted by the user, they could be acquired and arbitrarily manipulated by an attacker.
  
 
=== Example 2===
 
=== Example 2===
  
When a web application uses hidden fields to store status information, a malicious user can tamper the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer to its items, as follows:
+
When a web application uses hidden fields to store status information, a malicious user can tamper with the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer to its items, as follows:
  
 
  <input type=”hidden” id=”1008” name=”cost” value=”70.00”>
 
  <input type=”hidden” id=”1008” name=”cost” value=”70.00”>
Line 35: Line 33:
 
=== Example 3===
 
=== Example 3===
  
An attacker can tamper URL parameters directly. For example, consider a web application that permits user to select his profile from a combo box and debit the account:
+
An attacker can tamper with URL parameters directly. For example, consider a web application that permits a user to select his profile from a combo box and debit the account:
  
 
  <nowiki>http://www.attackbank.com/default.asp?profile=741&debit=1000</nowiki>
 
  <nowiki>http://www.attackbank.com/default.asp?profile=741&debit=1000</nowiki>
  
In this case, an attacker could tamper the URL using other values for profile and debit:
+
In this case, an attacker could tamper with the URL, using other values for profile and debit:
  
 
  <nowiki>http://www.attackbank.com/default.asp?profile=852&debit=2000</nowiki>
 
  <nowiki>http://www.attackbank.com/default.asp?profile=852&debit=2000</nowiki>
  
Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper the status variable and delete a page from the server:
+
Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper with the status variable and delete a page from the server:
  
 
  <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=read</nowiki>
 
  <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=read</nowiki>
  
Modifying status variable to delete the page:
+
Modifying the status variable to delete the page:
  
 
  <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=del</nowiki>
 
  <nowiki>http://www.attackbank.com/savepage.asp?nr=147&status=del</nowiki>
  
==External References==
+
==Related [[Threat Agents]]==
 
+
* [[:Category:Client-side Attacks]]
http://cwe.mitre.org/data/definitions/472.html - Web Parameter Tampering
+
* [[:Category:Logical Attacks]]
 
+
http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html - Parameter Tampering Imperva - Application Defense Center
+
 
+
http://www.cgisecurity.com/owasp/html/ch11s04.html - Parameter Manipulation - Chapter 11.  Preventing Common Problems
+
 
+
==Related Threats==
+
 
+
[[:Category:Client-side Attacks]]
+
 
+
[[:Category:Logical Attacks]]
+
 
+
==Related Attacks==
+
 
+
*[[SQL Injection]]
+
 
+
*[[XSS Attacks]]
+
 
+
*[[Path Traversal]]
+
 
+
==Related Vulnerabilities==
+
  
[[:Category: Input Validation Vulnerability]]
+
==Related [[Attacks]]==
 +
* [[SQL Injection]]
 +
* [[XSS Attacks]]
 +
* [[Path Traversal]]
  
==Related Countermeasures==
+
==Related [[Vulnerabilities]]==
 +
* [[:Category: Input Validation Vulnerability]]
  
[[:Category: Input Validation Vulnerability]]
+
==Related [[Controls]]==
 +
* [[:Category: Input Validation]]
  
 +
==References==
 +
* http://cwe.mitre.org/data/definitions/472.html - Web Parameter Tampering
 +
* http://www.imperva.com/application_defense_center/glossary/parameter_tampering.html - Parameter Tampering Imperva - Application Defense Center
 +
* http://www.cgisecurity.com/owasp/html/ch11s04.html - Parameter Manipulation - Chapter 11.  Preventing Common Problems
  
 
[[Category: Injection]]
 
[[Category: Injection]]
  
 
[[Category: Attack]]
 
[[Category: Attack]]

Latest revision as of 10:19, 1 March 2010

This is an Attack. To view all attacks, please see the Attack Category page.



Last revision (mm/dd/yy): 03/1/2010


Description

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used.

The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.

For a short video clip describing the vulnerability, click here (Courtesy of Checkmarx)

Examples

Example 1

The parameter modification of form fields can be considered a typical example of Web Parameter Tampering attack.

For example, consider a user who can select form field values (combo box, check box, etc.) on an application page. When these values are submitted by the user, they could be acquired and arbitrarily manipulated by an attacker.

Example 2

When a web application uses hidden fields to store status information, a malicious user can tamper with the values stored on his browser and change the referred information. For example, an e-commerce shopping site uses hidden fields to refer to its items, as follows:

<input type=”hidden” id=”1008” name=”cost” value=”70.00”>

In this example, an attacker can modify the “value” information of a specific item, thus lowering its cost.

Example 3

An attacker can tamper with URL parameters directly. For example, consider a web application that permits a user to select his profile from a combo box and debit the account:

http://www.attackbank.com/default.asp?profile=741&debit=1000

In this case, an attacker could tamper with the URL, using other values for profile and debit:

http://www.attackbank.com/default.asp?profile=852&debit=2000

Other parameters can be changed including attribute parameters. In the following example, it’s possible to tamper with the status variable and delete a page from the server:

http://www.attackbank.com/savepage.asp?nr=147&status=read

Modifying the status variable to delete the page:

http://www.attackbank.com/savepage.asp?nr=147&status=del

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References