Information Security
attacks attack-prevention e-commerce
Updated Sun, 07 Aug 2022 12:46:09 GMT

What type of attack is this?


Attacker purchasing something from e-store when attempting to tamper with requests and change the transaction amount value. What type of attack is this? How to prevent this kind of attack as the bank and merchants?




Solution

This is a Parameter Tampering attack. Emphasis mine:

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

You can prevent this type of attack by not storing sensitive information client side. For example, you could calculate the price server side each time it is displayed or used. Any attempt at altering quantities would result in the new price calculation remaining accurate.

If you want to validate quantity too, for example if you are limiting the number of products a user can buy, then you should also validate this server side.







External Links

External links referenced by this document: