nerdexam
EC-Council

312-50V10 · Question #340

An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been comprom

The correct answer is B. By changing hidden form values. When neither the web server nor the database shows signs of compromise, the most likely attack vector for price manipulation is tampering with hidden HTML form fields that pass values like price to the server without server-side validation.

Hacking Web Applications

Question

An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?

Options

  • ABy using SQL injection
  • BBy changing hidden form values
  • CBy using cross site scripting
  • DBy utilizing a buffer overflow attack

How the community answered

(37 responses)
  • A
    8% (3)
  • B
    84% (31)
  • C
    5% (2)
  • D
    3% (1)

Why each option

When neither the web server nor the database shows signs of compromise, the most likely attack vector for price manipulation is tampering with hidden HTML form fields that pass values like price to the server without server-side validation.

ABy using SQL injection

SQL injection would require direct interaction with the database layer, and the problem states the Oracle database was verified as not compromised.

BBy changing hidden form valuesCorrect

HTML forms can contain hidden input fields (e.g., <input type='hidden' name='price' value='99.99'>) that are sent to the server on form submission. If the application trusts these client-supplied values without server-side validation, an attacker can use browser developer tools or a proxy like Burp Suite to modify the hidden field value before submission - no database or server compromise is required.

CBy using cross site scripting

Cross-site scripting (XSS) injects malicious scripts to attack other users' sessions or steal data - it does not directly modify server-side transaction values like purchase prices.

DBy utilizing a buffer overflow attack

A successful buffer overflow attack would likely crash or compromise the server, which would have been detected by the IDS and server integrity checks.

Concept tested: Hidden HTML form field tampering vulnerability

Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Topics

#hidden form fields#web application attack#parameter tampering#price manipulation

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice