Testing web applications for security vulnerabilities is critical. However, many web applications owners overlook to test the security aspects leaving it vulnerable to malicious attacks. One of the most common threats comes from parameter tampering vulnerabilities.
So what is parameter tampering vulnerability?
It is manipulating the parameters exchanged between client and server in order to modify the application data such as user credentials, permissions, price, quantity of products etc. it can be done by:
Manipulating the parameter in query string
Intercepting data through Burp suite
Attacking the proxies (Man in the middle)
Using plugins to view data
In this video, we demonstrate a live example of parameter tampering vulnerability in one of the largest online food delivery portals. The video shows how easy it can be for a malicious user or hacker to manipulate the order value by tempering with the parameters.
In the video, we place an order using credit card. In the payment window, we were able to change the parameter that holds the order value. In this case, the vulnerability allows the hacker to change the product price while making payment.