What is the best way to protect web applications from parameter tampering attacks?

The Web parameter tampering attack is based on the manipulation of parameters
exchanged between client and server in order to modify application data, such as user
credentials and permissions, price and quantity of products, etc. Usually, this information is
stored in cookies, hidden form fields, or URL Query Strings, and is used to increase
application functionality and control. This attack takes advantage of the fact that many
programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in
a URL) as the only security measure for certain operations. Attackers can easily modify
these parameters to bypass the security mechanisms that rely on them.

What is the best way to protect web applications from parameter tampering attacks?

The Web parameter tampering attack is based on the manipulation of parameters
exchanged between client and server in order to modify application data, such as user
credentials and permissions, price and quantity of products, etc. Usually, this information is
stored in cookies, hidden form fields, or URL Query Strings, and is used to increase
application functionality and control. This attack takes advantage of the fact that many
programmers rely on hidden or fixed fields (such as a hidden tag in a form or a parameter in
a URL) as the only security measure for certain operations. Attackers can easily modify
these parameters to bypass the security mechanisms that rely on them.

What is the best way to protect web applications from parameter tampering attacks?

A.
Validating some parameters of the web application

B.
Minimizing the allowable length of parameters

C.
Using an easily guessable hashing algorithm

D.
Applying effective input field filtering parameters

Show Hint

Leave a Reply 5

Your email address will not be published. Required fields are marked *

FP

FP

“B” only provides protection against buffer-overflow attempts using the passed parameters. You will need to filter every parameter for validity.
Esp the example shown in the image is NOT protected against by “B” since the parameter still has the same length, even though it has been tampered with.
However “D” only mentions INPUT fields, not hidden, cookies, etc.

So in effect this question has NO valid answers!

Reply

Khaled Gamo

Khaled Gamo

D is the Best answer since A Validating some parameters only not all parameters and B is Minimizing the allowable length of parameters and not mention maximum allowable length

Reply

Q 

Q 

A is the best answer.

A.
Validating some parameters of the web application
=>Validate only some parameters used to do data processing.
B.
Minimizing the allowable length of parameters
=>not enough, because the data still can be tampered in the same length in some circumstances.
C.
Using an easily guessable hashing algorithm
=>not the correct answer obviously.
D.
Applying effective input field filtering parameters
=>front-end check is not enough, the check script function used to check in the browser can be turned off, therefore bypass the parameter check.

Reply

QA

QA

@Q: I confirm A is best answer, I do web dev for over 8 years.
btw, I deeply enjoy ur comments and passion to know the details.

Reply