What is parameter tampering ?

[Anathakrishnan]

hie,

I wanna know what do you mean by term called " parameter tampering ". Does anybody have any information about the same.....please help me providing with the related ideas....

thanks...

[deveritt]

Definition - Parameter tampering is a form of Web-based hacking event (called an attack) in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user's authorization.
This points the browser to a link, page or site other than the one the user intends (although it may look exactly the same to the casual observer). Parameter tampering can be employed by hackers and identity thieves to surreptitiously obtain personal or business information about the user.


Countermeasures specific to the prevention of parameter tampering involve the validation of all parameters to ensure that they conform to standards concerning minimum and maximum allowable length, allowable numeric range, allowable character sequences and patterns, whether or not the parameter is actually required to conduct the transaction in question, and whether or not null is allowed.

Whitelisting (accepting only allowable input) is more effective than blacklisting (refusing to accept only forbidden input).

A Web application firewall can provide some protection against parameter tampering, provided that it is configured properly for the site in use.

Overall, the vulnerability of a computer or network to parameter tampering can be minimized by implementing a strict application security routine and making sure that it is kept up to date.

[Techno01]

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used.

The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.

[Jackson2]

Parameter tampering is a sophisticated form of hacking that creates a change in the Uniform Resource Locator, or URL, associated with a web page. Essentially, parameter tampering makes it possible for the hacker to gain access to any information entered by an end user on an effected web page, and redirect it to the hacker for unauthorized use. This type of hacking activity is often employed to gain access to personal information such as credit card numbers, government issued identification numbers, and other data that is of a proprietary nature.

[Anathakrishnan]

Ohh...thanks a lot for providing such a valuable information. This is real threat while entering URL while surfing internet. Is there anyway to prevent ourself from web parameter tampering ?

[Techguru01]

Prevention Measures -

Firewall - One of the more common tools used to minimize the potential for parameter tampering is the firewall. As part of the operation of a firewall, each parameter or identifying data that defines a web page must be verified in order to allow full access to the page. If any single parameter does not meet with the standards established during the implementation of the firewall, access is blocked and cannot be secured by a hacker.

Whitelisting and Blacklisting - Both whitelisting and blacklisting are employed as tools to limit parameter tampering. Whitelisting essentially works to accept only input that is deemed allowable by the current security settings. Blacklisting focuses more on refusing to allow access using any input that is not specifically included in the security protocols. Depending on the degree and type of security protection desired, one or both of these tools may be employed simultaneously.

Various other settings can be put in place to limit the ability of a hacker to make use of parameter tampering. Like a firewall, these settings verify the status of all parameters and make sure nothing is amiss. This verification process will look at the numeric range that was set for the web page as well as the minimum and maximum lengths of the entered strings that are applied to the page. If any parameter does not match the original configuration, then access is denied.

Even with these safeguards in place, it is recommended that any computer network undergo a scheduled security check in order to identify any possible attempts to employ parameter tampering by an outside source. The routine security checks can often spot potential weaknesses in the current security settings and make it possible to protect the URLs from newer and more potent viruses and other dangers that could overcome current security protocols.