{ "slug": "parameter_tampering", "term": "Parameter Tampering", "category": "security", "difficulty": "beginner", "short": "Modifying HTTP request parameters — query strings, POST fields, cookies, or hidden fields — to manipulate application business logic.", "long": "Parameter tampering exploits the application's trust in client-supplied values: changing price=10 to price=1 in a POST body, altering a hidden field discount_pct=0 to 100, or editing a cookie with role=user to role=admin. These attacks succeed when the application validates parameter format (is it an integer?) but not legitimacy (is this integer the correct price?). Defences: derive prices, roles, and permissions server-side from authoritative sources; use HMAC-signed tokens for values that must round-trip through the client; never trust the client for security-sensitive state.", "aliases": [ "parameter manipulation", "query string tampering", "form field tampering" ], "tags": [ "authorisation", "input-validation", "owasp-top10" ], "misconception": "Hidden form fields and URL parameters are safe because users cannot easily see them. They are trivially visible and editable in browser dev tools, curl, or a proxy — never trust client-supplied values for prices, IDs, or permissions.", "why_it_matters": "Any business logic that trusts client-submitted values like prices, discount amounts, or product IDs can be bypassed by modifying those values in the request.", "common_mistakes": [ "Storing the price in a hidden form field and trusting it on submission instead of re-fetching from the database.", "Only validating parameters in client-side JavaScript — bypassed by intercepting the request.", "Using sequential integer IDs for private objects without authorisation checks — increment by 1 to access another user's data.", "Not re-validating quantity, price, or discount constraints server-side after any user-modifiable input." ], "when_to_use": [], "avoid_when": [], "related": [ "mass_assignment", "broken_access_control", "idor", "input_validation" ], "prerequisites": [ "input_validation", "broken_access_control", "idor" ], "refs": [ "https://owasp.org/www-community/attacks/Web_Parameter_Tampering" ], "bad_code": "$price = (float) $_POST['price']; // client controls the price", "good_code": "$price = Product::findOrFail((int)$_POST['product_id'])->price; // always from DB", "quick_fix": "Never trust any client-sent value for price, discount, role, or ownership — recalculate prices server-side, re-fetch roles from DB, and verify ownership on every request", "severity": "critical", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/parameter_tampering", "html_url": "https://codeclaritylab.com/glossary/parameter_tampering", "json_url": "https://codeclaritylab.com/glossary/parameter_tampering.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Parameter Tampering](https://codeclaritylab.com/glossary/parameter_tampering) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/parameter_tampering" } } } }