Skip to Content (Press Enter)
UserImage.jpg
Dang Quyen
30Views
2Comments
Solved
Prevent Parameter Tampering
Question
Reactive
Traditional Web
Application Type
Reactive

hi.

I am using Burp Suite app for security testing and I found a vulnerability, can someone help me?
The scenario is as follows:

① I have 2 users (user A, user B) sharing 1 role (on the same screen)

  user A only sees data Contact A

  user B only sees data Contact B

Database:

② I have a action create data with the parameters are Contact(Id, HouseNo, City) and User_ID.

③ User A with User_ID = 50, create data but in the app Burp Suite, I changed parameter User_ID = 57

As a result, User B can see the data created by User A.

Is there any way to Prevent Parameter Tampering?

thanks and best regard.




0
0
20 Nov 2024
Copy Link
2024-07-12 05-57-50
Gourav Shrivastava
Champion
Solution

Hello @Dang Quyen
To prevent parameter tampering in your scenario you can follow these steps:

  1. Server-Side Validation: Always validate User_ID on the server side. Compare it with the logged-in user's ID from getuserid() function and ensure it matches.

  2. if possible Remove User_ID from the client: Don't allow User_ID to be passed from the client. Retrieve it directly in server action using getuserid() function.


Thanks 

Regards ,

Gourav Shrivastava


5
0
20 Nov 2024
Copy Link
UserImage.jpg
Dang Quyen
0
0
21 Nov 2024
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.