EC-Council
312-50V9 · Question #115
312-50V9 Question #115: Real Exam Question with Answer & Explanation
The correct answer is B: By changing hidden form values. The attacker modified hidden HTML form fields containing the purchase price before the request was submitted, bypassing server-side controls without touching the web server or database directly.
Question
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the purchase price?
Options
- ABy using SQL injection
- BBy changing hidden form values
- CBy using cross site scripting
- DBy utilizing a buffer overflow attack
Explanation
The attacker modified hidden HTML form fields containing the purchase price before the request was submitted, bypassing server-side controls without touching the web server or database directly.
Common mistakes.
- A. SQL injection targets the database through malformed query input, but the problem states the Oracle database was not compromised, ruling this out.
- C. Cross-site scripting injects malicious scripts into pages viewed by other users and is not a mechanism for directly altering transaction prices on a form.
- D. Buffer overflow attacks exploit memory vulnerabilities to compromise the server process itself, which the administrators confirmed did not occur.
Concept tested. Hidden form field tampering for price manipulation
Reference. https://owasp.org/www-community/attacks/Web_Parameter_Tampering
Community Discussion
No community discussion yet for this question.