nerdexam
EC-Council

312-50V10 · Question #710

While using your bank's online servicing you notice the following string in the URL bar: account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values

The correct answer is C. Web Parameter Tampering. The URL exposes financial transaction parameters that can be directly manipulated by a user to alter debit and credit amounts, which is a classic Web Parameter Tampering vulnerability.

Hacking Web Applications

Question

While using your bank's online servicing you notice the following string in the URL bar:

account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the changes. Which type of vulnerability is present on this site?

Options

  • ACookie Tampering
  • BSQL Injection
  • CWeb Parameter Tampering
  • DXSS Reflection

How the community answered

(40 responses)
  • A
    10% (4)
  • B
    3% (1)
  • C
    83% (33)
  • D
    5% (2)

Why each option

The URL exposes financial transaction parameters that can be directly manipulated by a user to alter debit and credit amounts, which is a classic Web Parameter Tampering vulnerability.

ACookie Tampering

Cookie Tampering involves modifying cookie values stored on the client, not altering URL query string parameters in an HTTP request.

BSQL Injection

SQL Injection involves inserting malicious SQL syntax into input fields or parameters to manipulate database queries, which is not what is described here.

CWeb Parameter TamperingCorrect

Web Parameter Tampering occurs when an application passes sensitive data such as prices, account IDs, or transaction amounts as client-side URL parameters without server-side validation or integrity protection. In this case, the Damount and Camount values are fully visible and modifiable in the URL, and the server reflects the tampered values back to the page, confirming the server trusts client-supplied input. An attacker can exploit this to manipulate financial data, bypass business logic, or alter transaction records.

DXSS Reflection

XSS Reflection involves injecting and executing malicious scripts in a web page through user-supplied input, not modifying numeric transaction parameters in a URL.

Concept tested: Web parameter tampering via URL query string manipulation

Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Topics

#web parameter tampering#URL manipulation#input validation#web vulnerabilities

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice