Countermeasures for web application parameter tampering attacks

Bookmark This (opens in new window)

A parameter tampering attack is a malicious attack on an application where the attacker is manipulating hidden form variables in an attempt to disrupt the application.

Protect Hidden VariablesCountermeasures for this attack include:

  • Effective input field filtering. Input fields should be filtered to remove all characters that might be a part of an input injection. Which characters are removed will depend upon the types of software used by the application.
  • Application firewall. Network firewalls inspect only the source and destination addresses and the port numbers, but not the contents of network packets. Application firewalls examine the contents of packets and block packets containing input attack code and other unwanted data.
  • Variable integrity checking. If you application uses values in hidden fields to communicate parameters from page to page, you need to consider adding a variable that is a computed hash of other variables. Make sure your algorithm for hashing your hidden variables is not easily guessed – or consider using encryption in addition to hashing. When each page begins to process its variables, compute the hash again and compare it to the hash value variable. If the values are different, you know that your variables have been tampered with and you can exit gracefully after logging the incident.
  • Application vulnerability scanning. Organizations that develop their own applications for online use should scan those applications for input attack vulnerabilities, in order to identify vulnerabilities prior to their being discovered and exploited by outsiders.

These countermeasures lower the risk of parameter tampering by making the application more robust and/or protected from input attacks.

Countermeasures for input injection attacks.


3 thoughts on “Countermeasures for web application parameter tampering attacks

  1. Pingback: Countermeasures for web application input attacks « Securitas Operandi™

  2. Pingback: Chinese Hackers: no web site is 100% safe « Securitas Operandi™

  3. Pingback: si vis pacem, parabellum » As Diferentes Abordagens da Análise de Segurança de Aplicações Web

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.