312-50V11 · Question #340
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been comprom
The correct answer is B. By changing hidden form values. When the web server and database are uncompromised and no IDS alerts were triggered, the most likely attack vector is client-side manipulation of hidden HTML form fields that store item prices.
Question
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?
Options
- ABy using SQL injection
- BBy changing hidden form values
- CBy using cross site scripting
- DBy utilizing a buffer overflow attack
How the community answered
(34 responses)- A15% (5)
- B74% (25)
- C9% (3)
- D3% (1)
Why each option
When the web server and database are uncompromised and no IDS alerts were triggered, the most likely attack vector is client-side manipulation of hidden HTML form fields that store item prices.
SQL injection attacks target database query parsing and would typically leave evidence in database logs or trigger IDS signatures monitoring for malformed HTTP request patterns, both of which administrators already verified were absent.
HTML forms can contain hidden fields (e.g., input type hidden storing a price value) that pass data like purchase prices to the server on submission. An attacker can use a web proxy or browser developer tools to intercept and modify these hidden field values before the form is submitted, effectively changing the price the server processes. Because this manipulation occurs entirely on the client side, no server compromise or IDS-detectable exploit payload is involved.
Cross-site scripting injects malicious scripts into pages viewed by other users to steal data or hijack sessions, and would not directly allow an attacker to alter purchase prices within their own transaction.
A buffer overflow attack attempts to overwrite process memory and requires direct server interaction, which would likely trigger IDS alerts and risk crashing or compromising the web server itself.
Concept tested: Hidden form field manipulation and web parameter tampering
Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Topics
Community Discussion
No community discussion yet for this question.