CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Parameter Tampering

security CWE-472 OWASP A1:2021 CVSS 8.1 Beginner

Also Known As

parameter manipulation query string tampering form field tampering

TL;DR

Modifying HTTP request parameters — query strings, POST fields, cookies, or hidden fields — to manipulate application business logic.

Explanation

Parameter tampering exploits the application's trust in client-supplied values: changing price=10 to price=1 in a POST body, altering a hidden field discount_pct=0 to 100, or editing a cookie with role=user to role=admin. These attacks succeed when the application validates parameter format (is it an integer?) but not legitimacy (is this integer the correct price?). Defences: derive prices, roles, and permissions server-side from authoritative sources; use HMAC-signed tokens for values that must round-trip through the client; never trust the client for security-sensitive state.

Common Misconception

Hidden form fields and URL parameters are safe because users cannot easily see them. They are trivially visible and editable in browser dev tools, curl, or a proxy — never trust client-supplied values for prices, IDs, or permissions.

Why It Matters

Any business logic that trusts client-submitted values like prices, discount amounts, or product IDs can be bypassed by modifying those values in the request.

Common Mistakes

  • Storing the price in a hidden form field and trusting it on submission instead of re-fetching from the database.
  • Only validating parameters in client-side JavaScript — bypassed by intercepting the request.
  • Using sequential integer IDs for private objects without authorisation checks — increment by 1 to access another user's data.
  • Not re-validating quantity, price, or discount constraints server-side after any user-modifiable input.

Code Examples

✗ Vulnerable 
$price = (float) $_POST['price']; // client controls the price
✓ Fixed 
$price = Product::findOrFail((int)$_POST['product_id'])->price; // always from DB
Added 15 Mar 2026
Edited 22 Mar 2026
Views 37

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 2 pings S 0 pings M 1 ping T 0 pings W 4 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 8 Google 6 ChatGPT 6 Ahrefs 2 Unknown AI 2 Majestic 1
Also referenced
Input Validation vs Output Encoding 31 Insecure Direct Object Reference (IDOR) 29 Broken Access Control 28 Mass Assignment 25
How they use it
crawler 31 crawler_json 2
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Never trust any client-sent value for price, discount, role, or ownership — recalculate prices server-side, re-fetch roles from DB, and verify ownership on every request
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
Price or discount from POST/GET used without server-side recalculation; role or permission from hidden form field; cart total from client instead of computed from cart items
Auto-detectable: ✓ Yes semgrep owasp-zap burpsuite
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-472 CWE-20
✓ schema.org compliant