Parameter tampering is a type of web vulnerability where an attacker modifies input parameters in a URL or form submission to gain unauthorized access or perform malicious actions on a web application.
By altering parameters such as account numbers, transaction amounts, or user IDs, an attacker can manipulate the application to perform actions that were not intended by the application's designers, such as accessing other users' data or bypassing authentication checks.
Parameter tampering attacks can be prevented by implementing strong input validation and using secure encryption and authentication measures.
✏️ Open your browsers inspector and look at the comment form. Tamper with parameters, and try to submit a comment on behalf of someone else.
Hint 1
Try looking at the comment form markup to see if you can identify a way to control what user is voting.
Solution
Open Chrome Dev Tools and use the Elements tab to edit the userId input field in the comment form.
✏️ Try to exploit the comment field by submitting a persistent XSS attack that forces the all users to vote for the candidate Eleanor Wheeler.
Solution
Submit the following markup as a comment:
<script>window.addEventListener("DOMContentLoaded", (event) => {
for(el of document.getElementsByName("candidateId")) { el.setAttribute("value", "2") }
});</script>⭐ Can you hide your tracks using your XSS attack, by having the script remove itself after executing the malicious vote?