nerdexam
EC-Council

312-50V11 · Question #710

While using your bank's online servicing you notice the following string in the URL bar: account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values

The correct answer is C. Web Parameter Tampering. The URL exposes financial parameters (Damount, Camount) that can be modified by the user to alter server-side data, which is a classic Web Parameter Tampering vulnerability.

Hacking Web Applications

Question

While using your bank's online servicing you notice the following string in the URL bar:

account?id=368940911028389&Damount=10980&Camount=21" You observe that if you modify the Damount&Camount values and submit the request, that data on the web page reflects the changes. Which type of vulnerability is present on this site?

Options

  • ACookie Tampering
  • BSQL Injection
  • CWeb Parameter Tampering
  • DXSS Reflection

How the community answered

(35 responses)
  • A
    9% (3)
  • B
    6% (2)
  • C
    83% (29)
  • D
    3% (1)

Why each option

The URL exposes financial parameters (Damount, Camount) that can be modified by the user to alter server-side data, which is a classic Web Parameter Tampering vulnerability.

ACookie Tampering

Cookie Tampering involves modifying cookie values stored in the browser, not URL query string parameters.

BSQL Injection

SQL Injection involves inserting malicious SQL syntax into input fields or parameters to manipulate database queries, which is not occurring here.

CWeb Parameter TamperingCorrect

Web Parameter Tampering occurs when an attacker manipulates parameters transmitted over HTTP - such as URL query string values - to modify application data that should be controlled server-side. In this scenario, the Damount and Camount values represent debit and credit amounts that the server trusts without validation, allowing a user to alter account balances by simply changing the URL. This is a failure to enforce server-side business logic on sensitive financial parameters.

DXSS Reflection

XSS Reflection involves injecting and executing client-side scripts returned by the server, not manipulating numeric transaction parameters.

Concept tested: Web Parameter Tampering via URL query strings

Source: https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Topics

#web parameter tampering#URL manipulation#input validation#web application vulnerabilities

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice