312-50V10 · Question #710
While using your bank's online servicing you notice the following string in the URL bar: account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values
The correct answer is C. Web Parameter Tampering. The URL exposes financial transaction parameters that can be directly manipulated by a user to alter debit and credit amounts, which is a classic Web Parameter Tampering vulnerability.
Question
While using your bank's online servicing you notice the following string in the URL bar:
account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the changes. Which type of vulnerability is present on this site?
Options
- ACookie Tampering
- BSQL Injection
- CWeb Parameter Tampering
- DXSS Reflection
How the community answered
(40 responses)- A10% (4)
- B3% (1)
- C83% (33)
- D5% (2)
Why each option
The URL exposes financial transaction parameters that can be directly manipulated by a user to alter debit and credit amounts, which is a classic Web Parameter Tampering vulnerability.
Cookie Tampering involves modifying cookie values stored on the client, not altering URL query string parameters in an HTTP request.
SQL Injection involves inserting malicious SQL syntax into input fields or parameters to manipulate database queries, which is not what is described here.
Web Parameter Tampering occurs when an application passes sensitive data such as prices, account IDs, or transaction amounts as client-side URL parameters without server-side validation or integrity protection. In this case, the Damount and Camount values are fully visible and modifiable in the URL, and the server reflects the tampered values back to the page, confirming the server trusts client-supplied input. An attacker can exploit this to manipulate financial data, bypass business logic, or alter transaction records.
XSS Reflection involves injecting and executing malicious scripts in a web page through user-supplied input, not modifying numeric transaction parameters in a URL.
Concept tested: Web parameter tampering via URL query string manipulation
Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Topics
Community Discussion
No community discussion yet for this question.