What is Parameter Tampering

Parameter Tampering: Special Characters

Summary

Parameter manipulation involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user. Risks from exploitation depend upon what parameter is being modified, and the method by which it is submitted to the web application server. Parameter manipulation attacks can be used to achieve a number of objectives, including disclosure of files above the web root, extraction of information from a database and execution of arbitrary operating-system level commands. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application.

Explanation

The impact of this particular vulnerability depends upon what parameter is being manipulated, and how it is being submitted to the application server. At the least, an attacker would likely be able to gain information useful in orchestrating further, and more damaging, attacks. However, it is not out of the realm of possibility, or even probability, that this vulnerability could be utilized to take complete control of the system. Values that can be modified include:

Query strings: Web applications often use query strings as a simple method of passing data from the client and…