An attack where the attacker changes parameters in requests to modify business logic, such as prices or permissions.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

An attack where the attacker changes parameters in requests to modify business logic, such as prices or permissions.

Explanation:
Modifying request parameters to influence how the system enforces business rules. In this kind of attack, the attacker alters values sent by the client—like the price, quantity, discount, or a user permission flag—in the request (query string, form fields, or hidden inputs) and tricks the server into applying different logic than intended. The key idea is exploiting trust in client-provided data to change outcomes such as cost, access level, or workflow steps. The server should not rely on these values without rechecking them on the server side; price and permissions must be validated and enforced by server code, not accepted from the client. This differs from cookie tampering, which targets state stored in cookies rather than the request parameters themselves. It also differs from unvalidated input and file injection attacks, which aim to inject malicious data that leads to code execution or file access, and from SQL injection, which manipulates database queries.

Modifying request parameters to influence how the system enforces business rules. In this kind of attack, the attacker alters values sent by the client—like the price, quantity, discount, or a user permission flag—in the request (query string, form fields, or hidden inputs) and tricks the server into applying different logic than intended. The key idea is exploiting trust in client-provided data to change outcomes such as cost, access level, or workflow steps. The server should not rely on these values without rechecking them on the server side; price and permissions must be validated and enforced by server code, not accepted from the client.

This differs from cookie tampering, which targets state stored in cookies rather than the request parameters themselves. It also differs from unvalidated input and file injection attacks, which aim to inject malicious data that leads to code execution or file access, and from SQL injection, which manipulates database queries.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy