312-50V10 · Question #340
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been comprom
The correct answer is B. By changing hidden form values. When neither the web server nor the database shows signs of compromise, the most likely attack vector for price manipulation is tampering with hidden HTML form fields that pass values like price to the server without server-side validation.
Question
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?
Options
- ABy using SQL injection
- BBy changing hidden form values
- CBy using cross site scripting
- DBy utilizing a buffer overflow attack
How the community answered
(37 responses)- A8% (3)
- B84% (31)
- C5% (2)
- D3% (1)
Why each option
When neither the web server nor the database shows signs of compromise, the most likely attack vector for price manipulation is tampering with hidden HTML form fields that pass values like price to the server without server-side validation.
SQL injection would require direct interaction with the database layer, and the problem states the Oracle database was verified as not compromised.
HTML forms can contain hidden input fields (e.g., <input type='hidden' name='price' value='99.99'>) that are sent to the server on form submission. If the application trusts these client-supplied values without server-side validation, an attacker can use browser developer tools or a proxy like Burp Suite to modify the hidden field value before submission - no database or server compromise is required.
Cross-site scripting (XSS) injects malicious scripts to attack other users' sessions or steal data - it does not directly modify server-side transaction values like purchase prices.
A successful buffer overflow attack would likely crash or compromise the server, which would have been detected by the IDS and server integrity checks.
Concept tested: Hidden HTML form field tampering vulnerability
Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Topics
Community Discussion
No community discussion yet for this question.