Parameter Tampering

Question

Dear all,&nbsp;
 &nbsp;
I want to know how can I avoid users to manipulate the URL and circumvent a security permission? &nbsp;
 &nbsp;
Example, user clicks a link: http://myweb.com/student_data/academic_data.jsp?studentID=AAA12345&nbsp;
 &nbsp;
In this example the parameter will be for user ID XXX12345, but what if the end user manipulates the URL and place studentID=CCC56789 (someone else)?&nbsp;
 &nbsp;
I tried adding parameter studentID as a global parameter, but it did not solve my issue.&nbsp;
 &nbsp;
This web server is on a productive environment, and my client does not want to invest in a programmer to code a new application in order to solve this problem.&nbsp;
 &nbsp;
I hope somebody can help me.&nbsp;
 &nbsp;
Thanks in advance!&nbsp;

mike_maher · Answer

How is the studentID parameter value  populated?

nathe · Answer

Dependant on the answer to Mike's question could a flow policy work for you?  
&nbsp;  
&nbsp; Rgds 
&nbsp; N

pcastagnaro_709 · Answer

Posted By Mike Maher on 03/12/2013 02:06 PM&nbsp;
How is the studentID parameter value populated?
&nbsp;
Excuse me, but I do not understand your question.&nbsp;
What means "parameter value populated"?&nbsp;
Anyway, thank you very much for your attention and your help!&nbsp;

pcastagnaro_709 · Answer

&nbsp;
Posted By nathan on 03/12/2013 02:58 PM&nbsp;
Dependant on the answer to Mike's question could a flow policy work for you?&nbsp;
&nbsp;
Rgds&nbsp;
N
&nbsp;
I think flow policy involves into a vulnerability, because if an attacker wants to access /student_data/academic_data.jsp?studentID=AAA12345 he could do the request, tamper this adding Referer header, and application will show him page requested.&nbsp;
 &nbsp;
Is that correct?&nbsp;

mike_maher · Answer

How does the parameter studenID gets its value?  My assumption would be that this parameter gets populated at the login page so I would set up studentID to be a Dynamic parameter value and set the extraction point to be the page at which the parameter value should be populated.  That way the value can only be set or changed by information gathered and passed during the login process.  Which I would assume would be password protected and therefore should resolve your concern about being able to tamper with the value in other parts of the page.  
&nbsp;  
&nbsp; To further tighten this down you would want to implement flows was well and define a login page so that everyone has to start at the login page and cannot get to authenticated pages unless they come from the login page first.  Yes this can be bypassed by crafting requests and messing with the refer but it will take away some of the ease of it

Forum Discussion

Parameter Tampering

7 Replies

Recent Discussions

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

no available managed rule groups for Israel il-central-1

[ASM] - what is "Browser Challange file" ?

Related Content

Cookie Tampering Protection using F5 Distributed Cloud Platform

Brute Force protection for single parameter like OTP

Wildcard Parameter signature attack

HTTP auth - Calling external API with parameters

AWAF Path Parameters with OPENAPI json file