junwei266
commented
4 years ago Simple HTML tampering as a logged user (yourself) does not cause an attack.
Open soobinchoi54 opened 4 years ago
junwei266
commented
4 years ago Simple HTML tampering as a logged user (yourself) does not cause an attack.
Vulnerability: The web HTML parameters are exploitable under a web parameter tampering attack.
Exploit: By inspecting your account page after login, I can change the value attribute for your form option from "deposit" to "withdraw" and vice versa, change the selected attribute so that the form option is not pre-selected, and change the button text from "Deposit" to "Withdraw" and vice versa and trick the user into clicking the button that will execute the opposite transaction.
Asset at risk: As a result, a man in the middle can access and manipulate transactions between the client and the system, posing a financial risk to the user. In addition, the attacker may target the app's business logic to lower system reliability motivated by personal reasons against the system.