After the attacker has ?¬? nished editing the value, the
form can then be submitted as normal.
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 163
Parameter Manipulation Countermeasure
Countermeasures for parameter manipulation are generally quite straightforward and
rely on the same principles employed by most other web application defenses: don??™t
blindly trust input from your users. Developers should never store sensitive values on
the client and assume they will not be tampered with. Where possible, developers should
instead store sensitive values on the server side, which then can be accessed by the client
through use of its session identifier. Finally, the application should always verify that the
client has permission to perform the action that it is requesting, and that any values
provided by the client are properly checked.
Manipulation Wrap-Up
While the term parameter manipulation attack is often used, attackers must be aware of a
number of subclasses of the attack. Since a parameter manipulation attack is against the
business logic of the application, it is extremely difficult to automate the detection of any
flaws. Thus, attackers must depend on tools such as the Firefox extension WebDeveloper
164 Hacking Exposed Web 2.
Pages:
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307