Parameter tampering is a type of web attack that involves manipulating or interfering with the application business logic that is exchanged between client and server to alter application data.
This subtle yet potent threat can have far-reaching consequences, from unauthorised data access to complete system compromise.
Understanding the mechanics of parameter tampering is crucial for developers and security professionals in order to safeguard against unauthorised manipulations.
In this article I've given you code snippets you can use in your app to prevent these vulnerabilities. Use our boilerplate code as you see fit, but please test it thoroughly for functional and security bugs before shipping to prod. By using any code provided here, you accept that it's provided for educational purposes and we cannot be held responsible for any errors, ommissions or liability for your use of this code or any concepts discussed here.
Types of Parameter Tampering Attacks
Web Parameter Tampering Attack
Web parameter tampering attacks involve manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions.
These attacks can be performed by a malicious user or an attacker using tools like Webscarab and Paros proxy.
The attack success depends on integrity and logic validation mechanism errors, and its exploitation can result in other consequences including XSS, SQL Injection, file inclusion, and path disclosure attacks.
Examples of Parameter manipulation
URL Parameters
Original: shop.com/item?id=123&price=100
Tampered: shop.com/item?id=123&price=1Hidden Form Fields
Original: <input type="hidden" name="total" value="50.00">
Tampered: <input type="hidden" name="total" value="0.00">Cookie Values
Original: userRole=customer
Tampered: userRole=adminSession Tokens
Original: sessionID=user123
Tampered: sessionID=admin456API Parameters
Original: api/account?userId=123
Tampered: api/account?userId=456Risks and Impacts of Parameter Tampering
Technical Breakdown
Parameters are the building blocks of dynamic web applications, carrying data that instructs the server on how to respond to a user’s request.
Parameters are often embedded in URL queries, form fields, session cookies, or HTTP headers, and they instruct the server on how to process a user’s request.
A parameter tampering attack involves the manipulation of parameters that are used to transfer data between a client—such as a web browser—and a server.
Common Targets
Web applications that do not rigorously validate user input are common targets for parameter tampering.
Attackers look for points where user input can influence the server’s response.
This could be anything from a search field in a web application to the quantity field in an online shopping cart.
Signs of Tampering
Anomalies in user requests can often signal an attempt at parameter tampering.
These may include unexpected parameter values, patterns that deviate from the norm, or repeated requests that appear to be testing the boundaries of what the server will accept.
Monitoring URL query strings, HTTP headers, and form fields for suspicious activity can help detect parameter tampering.
There are a variety of software tools and techniques available to monitor and detect parameter tampering.
Intrusion detection systems (IDS), for example, can be configured to alert administrators of potential tampering based on predefined rules or heuristics.
Web application firewalls (WAFs) can also be helpful as a real-time mechanism to prevent parameter tampering attacks before they hit your application.
Preventing Parameter Tampering (With Code Snippets)
The general principles in preventing parameter tampering in your apps requires you to adhere to these 5 principles:
- Never trust client-side data
- Always validate on the server side, even if you have client-side validation in place
- Use proper error handling
- Keep dependencies updated, using SBOM discovery and cataloguing tools like Cyber Chief's Raider
- Implement rate limiting so that your application capabilities cannot be abused
- Regularly audit your application's security by running web app security tests and API security audits from your CI/CD pipelines
Input Validation Is The Key
Robust server-side input validation is essential for preventing parameter tampering. Your applications can defend against malicious tampering attempts when all input meets strict criteria before its processed.
Using rule-based or whitelisting approaches (less favoured) to validate input can help prevent parameter tampering and depending on your tech stack, you might be able to implement multiple layers of defences against parameter tampering attacks.
Here's how you can implement input validation and sanitization across different tech stack components:
Preventing Parameter Tampering in Node.js/Express Apps
Joi is an expressive validator library for JavaScript objects (it's not the only one and you might find one that better suits your project). It helps ensure inputs are checked before progressing (eg. transferring user inputs to a DB).
You first create a schema and then validate the payload against the schema. If invalid it will throw the relevant error message.
// Use a validation library like Joi
const Joi = require('joi');
const schema = Joi.object({
userId: Joi.number().integer().min(1).required(),
email: Joi.string().email().required(),
age: Joi.number().min(0).max(120)
});
app.post('/api/users', (req, res) => {
const { error, value } = schema.validate(req.body);
if (error) {
return res.status(400).json({ error: error.details[0].message });
}
// Process validated data
});
Preventing Parameter Tampering in Django Apps
Django has built in features that help you validate and santize user inputs. But, before starting with validations, you should activate Django's in-built security middleware (if you've not done so from other parts of your application):
# settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
# Security settings
SECURE_SSL_REDIRECT = True # Force HTTPS
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'
Form validation using Django:
from django import forms
class UserForm(forms.ModelForm):
class Meta:
model = User
fields = ['username', 'email', 'age']
def clean_age(self):
age = self.cleaned_data['age']
if age < 0 or age > 120:
raise forms.ValidationError("Invalid age range")
return age
# In views.py
def create_user(request):
if request.method == 'POST':
form = UserForm(request.POST)
if form.is_valid():
user = form.save()
return JsonResponse({'status': 'success'})
return JsonResponse({'errors': form.errors}, status=400)
Serializer validation is a way to validate and control data conversion between complex types (like Django models, querysets) and Python native datatypes that can be easily rendered into JSON, XML, or other content types.
In this example the Serializer Validation (DRF) is used to validate the "age" input from a user:
from rest_framework import serializers
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ['username', 'email', 'age']
def validate_age(self, value):
if value < 0 or value > 120:
raise serializers.ValidationError("Invalid age range")
return value
Django also has inbuilt methods for parameter validation, in the following example this code validates the length of an input:
from django.core.validators import MinValueValidator, MaxValueValidator
from django.db import models
class Product(models.Model):
name = models.CharField(max_length=100)
price = models.DecimalField(
max_digits=10,
decimal_places=2,
validators=[MinValueValidator(0)]
)
quantity = models.IntegerField(
validators=[MinValueValidator(0), MaxValueValidator(1000)]
)
Preventing Parameter Tampering in .Net/C# Apps
User input validation in .Net is performed via both model validation and RequestValidationMiddleware as they serve different purposes and provide complementary layers of security. The RequestValidationMiddleware is your first line of defence and is responsible for:
- Validateing the HTTP request itself before it reaches model binding
- Protecting against request-level attacks
Model validation is your second layer of protection and is tasked with validating the data within the request. If you only use Model Validation:
- Malicious requests could still consume server resources
- Your application would be vulnerable to DOS attacks
- You'd miss request-level security checks
So let's start by including the right security configurations for accepted file types and file size limits:
// appsettings.json
{
"SecuritySettings": {
"MaxRequestSize": 10485760,
"AllowedFileTypes": [".jpg", ".png", ".pdf"],
"MaxFileSize": 5242880
}
}
// Use strongly-typed configuration
public class SecuritySettings
{
public int MaxRequestSize { get; set; }
public string[] AllowedFileTypes { get; set; }
public int MaxFileSize { get; set; }
}
services.Configure<SecuritySettings<(Configuration.GetSection("SecuritySettings"));
Next you should include middleware for request validation because it acts as a filter or checkpoint that processes HTTP requests before they reach your application's main logic. It also ensures that all inputs are centrally validated using the same rules for consisetent handling and deubbing; plus it keeps your app performant by ensuring that unnecesssary requests aren't sent for processing.
This is an example of how to use the RequestValidationMiddleware to validate for the Content-Type header; origin of CORS request; request size; and content type:
public class RequestValidationMiddleware
{
private readonly RequestDelegate _next;
public RequestValidationMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
// Inspect and validate request headers
if (!context.Request.Headers.ContainsKey("Content-Type"))
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
await context.Response.WriteAsync("Content-Type header is required");
return;
}
// Validate origin for CORS requests
if (context.Request.Headers.ContainsKey("Origin"))
{
var origin = context.Request.Headers["Origin"].ToString();
if (!IsValidOrigin(origin))
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
return;
}
}
// Validate request size
if (context.Request.ContentLength > 10485760) // 10MB
{
context.Response.StatusCode = 413; // Payload Too Large
return;
}
// Validate content type
if (context.Request.Method == "POST" &&
!context.Request.ContentType.StartsWith("application/json"))
{
context.Response.StatusCode = 415; // Unsupported Media Type
return;
}
await _next(context);
}
}
Then you can add in model validation using data annotations:
public class UserModel
{
[Required]
[StringLength(50)]
public string Username { get; set; }
[Required]
[EmailAddress]
public string Email { get; set; }
[Range(0, 120)]
public int Age { get; set; }
[RegularExpression("^[0-9]{10}$")]
public string PhoneNumber { get; set; }
}
Custom model validation in our C# code can be performed with this code:
public class CustomValidationAttribute : ValidationAttribute
{
protected override ValidationResult IsValid(object value, ValidationContext context)
{
var user = (UserModel)context.ObjectInstance;
if (/* custom validation logic */)
{
return new ValidationResult("Custom validation failed");
}
return ValidationResult.Success;
}
}
Secure Coding Practices
As a developer, you must write code with security in mind from the outset, which includes proper error handling, data sanitisation, and the principle of least privilege.
Using secure coding practices can help prevent parameter tampering attacks.
Best Practices for Developers
Regular Security Audits
Regular security audits/penetration testing are vital in identifying and addressing security weaknesses.
These audits should include thorough testing for vulnerabilities, including those that could lead to parameter tampering.
Scan your web applications to find out potential parameter tampering vulnerabilities by running regular vulnerability scans with a user-friendly web application vulnerability scanning tool, like Cyber Chief
Encrypt Sensitive Data
Encrypt parameters, such as session IDs or any sensitive information passed between the client and server, to prevent them from being easily tampered with or intercepted.
Always use HTTPS (SSL/TLS) to encrypt the communication channel between the client and server, preventing tampering of parameters during transmission.
Hashing and Digital Signatures
For sensitive parameters (like IDs or values), generate a hash or a digital signature to ensure integrity. If the parameter changes, the hash or signature won’t match, and the request will be rejected.
HMAC (Hash-Based Message Authentication Code): This technique uses a secret key combined with the data to generate a hash. It ensures that the data hasn’t been modified and is authentic.
Use Session Management Techniques
Ensure that session IDs or authentication tokens are unique, long, and unpredictable. These should be securely stored and never passed through the URL.
Regularly regenerate session IDs to mitigate session fixation and hijacking attacks. Also, ensure sessions expire after a reasonable amount of inactivity.
Limit Parameter Modifications
Certain parameters, such as user IDs, should not be modified by the user. These should be set securely on the server-side and never exposed for tampering.
Pass critical or sensitive data in headers or request bodies instead of URL parameters, where it can be more easily intercepted or manipulated.
Legal and Ethical Considerations
Compliance with Data Protection Laws
Data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act (HIPAA) in the United States set stringent guidelines for the handling of personal data.
Compliance with these laws is essential for protecting sensitive data from parameter tampering attacks.
Ensuring compliance with data protection laws can help prevent legal and financial consequences.
What is parameter pollution vulnerability?
Parameter pollution vulnerability is different than a parameter tampering vulnerability.
Parameter pollution vulnerability occurs when an application handles duplicate parameters inconsistently. For example:
https://website.com/profile?role=user&role=adminThe front-end might see role=user while the backend sees role=admin, leading to potential privilege escalation. This commonly occurs in multi-tier architectures where different systems process the same parameters differently.
How to find parameter tampering vulnerabilities in your app?
Watch the Cyber Chief on-demand demo to see not only how it can help to keep attackers out, but also to see how you can ensure that you ship every release with zero known vulnerabilities.
Cyber Chief has been built to integrate with the workflows of high-growth SaaS teams and that's why it offers:
Results from scanning your application for the presence of OWASP Top 10 + SANS CWE 25 + thousands of other vulnerabilities.
A detailed description of the vulnerabilities found.
A risk level for each vulnerability, so you know which ones to fix first.
Best-practice fixes for each vulnerability, including code snippets where relevant.
On-Demand Security Coaching from our application security experts to help you patch vulnerabilities in hours, not days.
Click the green button below to see how Cyber Chief works.