CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Parameter Tampering

Security CWE-472 OWASP A1:2021 CVSS 8.1 Beginner
debt(d5/e5/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep, owasp-zap, and burpsuite — all specialist SAST/DAST tools. Standard linters won't catch this; it requires a dedicated security scanner or manual proxy-based testing to identify untrusted client values flowing into business logic.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix says to never trust client-sent values and instead recalculate server-side and re-fetch from DB. This isn't a one-line swap — it requires auditing all endpoints that accept price, discount, role, or ownership parameters and refactoring each to perform server-side recomputation, touching multiple handlers or service layers.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). applies_to covers both web and api contexts broadly. Every feature involving user-submitted values (checkout, permissions, resource access) must be designed with this in mind. It imposes a persistent review requirement across many work streams — developers must consistently resist trusting client input — but it doesn't architecturally redefine the whole system.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states the canonical wrong belief: hidden form fields and URL parameters feel safe because they aren't obviously visible. Developers coming from desktop or backend-only backgrounds commonly assume 'hidden' means protected. This contradicts intuition and is a well-documented OWASP gotcha that many developers fall into, placing it solidly at t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

parameter manipulation query string tampering form field tampering

TL;DR

Modifying HTTP request parameters — query strings, POST fields, cookies, or hidden fields — to manipulate application business logic.

Explanation

Parameter tampering exploits the application's trust in client-supplied values: changing price=10 to price=1 in a POST body, altering a hidden field discount_pct=0 to 100, or editing a cookie with role=user to role=admin. These attacks succeed when the application validates parameter format (is it an integer?) but not legitimacy (is this integer the correct price?). Defences: derive prices, roles, and permissions server-side from authoritative sources; use HMAC-signed tokens for values that must round-trip through the client; never trust the client for security-sensitive state.

Common Misconception

Hidden form fields and URL parameters are safe because users cannot easily see them. They are trivially visible and editable in browser dev tools, curl, or a proxy — never trust client-supplied values for prices, IDs, or permissions.

Why It Matters

Any business logic that trusts client-submitted values like prices, discount amounts, or product IDs can be bypassed by modifying those values in the request.

Common Mistakes

  • Storing the price in a hidden form field and trusting it on submission instead of re-fetching from the database.
  • Only validating parameters in client-side JavaScript — bypassed by intercepting the request.
  • Using sequential integer IDs for private objects without authorisation checks — increment by 1 to access another user's data.
  • Not re-validating quantity, price, or discount constraints server-side after any user-modifiable input.

Code Examples

✗ Vulnerable 
$price = (float) $_POST['price']; // client controls the price
✓ Fixed 
$price = Product::findOrFail((int)$_POST['product_id'])->price; // always from DB
Added 15 Mar 2026
Edited 22 Mar 2026
Views 61

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 1 ping S 0 pings S 0 pings M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 2 pings S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Amazonbot 10 Google 8 ChatGPT 8 Perplexity 8 Ahrefs 4 Scrapy 3 Unknown AI 2 Claude 2 Bing 2 SEMrush 2 Majestic 1 Meta AI 1 Sogou 1 PetalBot 1
Also referenced
Input Validation vs Output Encoding 118 Broken Access Control 63 Insecure Direct Object Reference (IDOR) 55 Mass Assignment 46
How they use it
crawler 48 crawler_json 5
Related categories
security 7.9k general 3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Never trust any client-sent value for price, discount, role, or ownership — recalculate prices server-side, re-fetch roles from DB, and verify ownership on every request
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
Price or discount from POST/GET used without server-side recalculation; role or permission from hidden form field; cart total from client instead of computed from cart items
Auto-detectable: ✓ Yes semgrep owasp-zap burpsuite
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-472 CWE-20
✓ schema.org compliant