Parameter manipulation attacks do not rely on any particular
technology to exploit, but rather depend on errors in the business logic of the
application. These attacks typically consist of changing parameters to values that are still
valid enough to pass filtering checks in the application, but may cause issues later in the
application.
An amusing illustration of a traditional parameter manipulation attack is the case of
shopping carts of e-commerce sites in the late 1990s. In these applications, whenever a
user would select an item she wished to buy, the item would then be added to her
shopping cart along with the price of the item. The price was stored in a ???hidden??? form
field, which was sent by the client along with each request. Developers at the time often
thought since this field was marked as hidden, the price was hidden from the user.
Unfortunately for these early e-commerce sites (but fortunately for the $1 large screen
TV in the author??™s dorm room at the time), nothing prevented an attacker from simply
modifying the hidden price field and setting any desired price on an item. The item
could then be purchased with the modified price, with the web application and developers
being none the wiser.
Pages:
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303