Parameter Manipulation

Posted on October 22, 2012. Filed under: SANS Dev 541 |


Parameter manipulation: Some Web Applications depend on users’ HTTP GET or POST request Parameters to make important decisions such as the user’s permission level, the price of the user’s purchase, some good how many failed login attempt the user has tried, assuming that the user will not change these values. An attacker can take advantage of this blind trust. By changing the request parameters before sending to the server, the attacker can escalate his/her permission level, get sensitive information, changing price, and launch other attacks. The most common scenario is that attackers set up a proxy server (say Burp or Paros) between the user browser and a remote server. Before the request is sent to server, it is intercepted by the proxy. The attacker can change any request parameters, then send the tampered HTTP request to the server.

For example, the following java web application code snippets is vulnerable to parameter manipulation. A hacker can manipulate request parameter “customer” in order to view customerA’s private information.

String customer = request.getParameter("customer");
if(customer!=null && customer.equals('companyA')) {
   showReport(companyA);
   response.sendRedirect("checkInvoice.jsp?company"+company);
}

The following is an example of parameter manipulation with web browser and proxy server:

The following is another example of parameter manipulation and defense techniques:

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: