Parameter Tampering

Also known as: Web parameter tampering, Request tampering

An attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour.

Parameter tampering targets data that the client sends but the server should not trust: query strings, POST body fields, hidden inputs, cookies, JWT claims, and HTTP headers. Common abuses include changing a price field in a checkout request, switching a user ID in a profile endpoint, flipping a role parameter, or bypassing client-side validation. The root cause is the server treating client data as authoritative instead of recomputing or validating it against authoritative state. Defences include server-side validation and authorization for every sensitive value, cryptographically signed or server-side state for prices and totals, allow-list input schemas, and Web Application Firewalls as defence in depth.

Examples

Editing a hidden price field in checkout from 100 to 1 before submitting the order.
Changing role=user to role=admin in a sign-up request.

Parameter Tampering

Examples

Related terms

Broken Access Control

Insecure Direct Object Reference (IDOR)

Mass Assignment

Input Validation

Web Application Firewall (WAF)

Definition

Examples

Related terms

Broken Access Control

Insecure Direct Object Reference (IDOR)

Mass Assignment

Input Validation

Web Application Firewall (WAF)