Parameter Tampering
What is Parameter Tampering?
Parameter TamperingAn attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour.
Parameter tampering targets data that the client sends but the server should not trust: query strings, POST body fields, hidden inputs, cookies, JWT claims, and HTTP headers. Common abuses include changing a price field in a checkout request, switching a user ID in a profile endpoint, flipping a role parameter, or bypassing client-side validation. The root cause is the server treating client data as authoritative instead of recomputing or validating it against authoritative state. Defences include server-side validation and authorization for every sensitive value, cryptographically signed or server-side state for prices and totals, allow-list input schemas, and Web Application Firewalls as defence in depth.
● Examples
- 01
Editing a hidden price field in checkout from 100 to 1 before submitting the order.
- 02
Changing role=user to role=admin in a sign-up request.
● Frequently asked questions
What is Parameter Tampering?
An attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour. It belongs to the Vulnerabilities category of cybersecurity.
What does Parameter Tampering mean?
An attack in which an adversary modifies parameters in HTTP requests, cookies, or hidden form fields to manipulate application behaviour.
How do you defend against Parameter Tampering?
Defences for Parameter Tampering typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Parameter Tampering?
Common alternative names include: Web parameter tampering, Request tampering.