312-50V11 · Question #710
While using your bank's online servicing you notice the following string in the URL bar: account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values
The correct answer is C. Web Parameter Tampering. The URL exposes financial parameters (Damount, Camount) that can be modified by the user to alter server-side data, which is a classic Web Parameter Tampering vulnerability.
Question
While using your bank's online servicing you notice the following string in the URL bar:
account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the changes. Which type of vulnerability is present on this site?
Options
- ACookie Tampering
- BSQL Injection
- CWeb Parameter Tampering
- DXSS Reflection
How the community answered
(35 responses)- A9% (3)
- B6% (2)
- C83% (29)
- D3% (1)
Why each option
The URL exposes financial parameters (Damount, Camount) that can be modified by the user to alter server-side data, which is a classic Web Parameter Tampering vulnerability.
Cookie Tampering involves modifying cookie values stored in the browser, not URL query string parameters.
SQL Injection involves inserting malicious SQL syntax into input fields or parameters to manipulate database queries, which is not occurring here.
Web Parameter Tampering occurs when an attacker manipulates parameters transmitted over HTTP - such as URL query string values - to modify application data that should be controlled server-side. In this scenario, the Damount and Camount values represent debit and credit amounts that the server trusts without validation, allowing a user to alter account balances by simply changing the URL. This is a failure to enforce server-side business logic on sensitive financial parameters.
XSS Reflection involves injecting and executing client-side scripts returned by the server, not manipulating numeric transaction parameters.
Concept tested: Web Parameter Tampering via URL query strings
Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Topics
Community Discussion
No community discussion yet for this question.