Task 1 of 7

The Server Trusts You — That's the Problem

Every time you click a button on a website — Add to Cart, Submit Order, Transfer Money — your browser sends a request behind the scenes. That request contains data: prices, quantities, user IDs, account numbers. The developer wrote the frontend to send the right values. But what happens if you change them before they arrive?

This is Parameter Tampering. You intercept the request mid-flight and edit whatever you want. If the server calculates nothing on its side and just trusts whatever you sent — you win.

THIS ACTUALLY HAPPENED
E-commerce site, 2021
A researcher found a checkout flow that sent the item price in the POST body. Changing price to 0.01 before the request hit the server resulted in a valid order confirmation. The server never recalculated the price from its own database.
Hotel booking platform, 2019
The number of guests was sent as a URL parameter. Changing guests=5 to guests=-1 applied a negative surcharge — reducing the total below the base room rate. The booking went through.
Subscription app, 2022
The plan tier was passed as a hidden form field: plan=free. Changing it to plan=pro before submitting upgraded the account without payment. The backend never verified the payment matched the plan.

In every case the attacker used no special tools. They just looked at what was being sent and changed a number. The tool we will use — the Interceptor — makes this as simple as editing a text field.

1

Why does parameter tampering work on vulnerable applications?

2

What is the attacker modifying in a parameter tampering attack?

Answer 2 questions to continue