Although this simple parameter manipulation attack is no longer seen in online
e-commerce applications, parameter manipulation attacks are still prevalent, not only in
today??™s Web 1.0 style applications, but in newer AJAX applications as well. This is
because these attacks are not a specific technical vulnerability, but are rather a flaw in
the business logic of the application. While the term parameter manipulation is generally
used as a catchall term, an attacker can perform several different types of parameter
manipulations.
Hidden Field Manipulation
In hidden field manipulation, an application stores an important value, such as the
user??™s user ID (UID), as a hidden field in the application. Whenever the user performs an
action, the UID field is passed along with the request and tells the server who the user is
and what actions the user may perform. However, since this field is not actually hidden
from a user who wants to attack the application, it may be changed to any value desired.
Typically, an attacker would use a tool to expose the hidden fields in a form and then
manipulate the UID value to 0, which is usually the UID of the administrator account.
160 Hacking Exposed Web 2.
Pages:
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304