Web Parameter Tampering attack involve the manipulation of parameter exchanged between a client and a server to modify application data such as user credentials and permissions, prices, and product quantities.

1. Exploiting Parameter Tempering Attack
in Web Application
• By: Vishal Kumar (CEH | CISE | MCP)
theprohackers2017@gmail.com

2. Lab Scenario
• According to OWASP, the web parameter Tempering attack refers to the
manipulation of the parameters exchanged between client and server to
modify application data, such as user credentials and permission, the price
and quantity of product, and so on. Usually this information is stored in
cookies, hidden form fields, or URL query strings, and is used to increase
application functionality and control Cross-Site Scripting allow an attacker to
embed malicious JavaScript,
• HTML or Flash into a vulnerable dynamic page to trick the user into
executing the script, so that attacker can get data
• Though implementing a strict application security routine, parameters, input
validation can minimize parameter tempering and XSS vulnerabilities. Many
websites and web applications are still vulnerable to these security threats.

3. Lab Objective
• The objective of this lab is to help a Pen Tester learn how to
test web applications for Vulnerability of Parameter Tempering.
• This lab will demonstrate how an attacker can easily exploit para
meter tempering and can make huge damage into the web
application.

4. Particle Approach
• Login to your computer and open the internet explorer or the
chrome web browser.
• Perform a google search, type inurl:Profile.aspx?id= (using this
command, we are searching the link of website with the profile
page) in the google search bar and hit Enter.
• It will display some links of the websites with the profile page as
shown in the below screenshot. Open the first link.

5. • The website has opened with a profile page. Now have a look in
the url (i.e http://iitrindia.org/admin%20panel/profile.aspx?id=8)
of the website, the current profile is associated with the ID=8.

6. • lick on the url and change the value of ID=12 or any desired
number and hit Enter and let’s see the change in the page.
•
The profile has been changed as shown in the below screenshot.

7. • Now change the value of ID= 15, and see the result.
•
The page has been changed with a new profile as shown in the
below screenshot.

8. • So we can see that by making the changes directly in the url of
the link, we get the different pages or information without
performing any search on the page.

9. Overview of Parameter Tempering Attack
• Web Parameter Tampering attack involve the manipulation of
parameter exchanged between a client and a server to modify
application data such as user credentials and permissions,
prices, and product quantities.

10. Disclaimer
• The information provided in this presentation is just for
knowledge purpose. If anyone has used this knowledge for his
illegal purpose, then me and my presentation is not
responsible for that.
-Thanks

11. Please Like and Share this presentation, for more videos and please
subscribe my YouTube channel and like my Facebook page.
https://www.youtube.com/channel/UCcyYSi1sh1SmyMlGfB-Vq6A
https://facebook.com/prohackers2017/
http://prohackers2017.blogspot.in/
For any query and suggestion, please writes us on
theprohackers2017@gmail.com
Thanks…!!!