You are performing a web application security assessment and discover that the application uses a hidden form field named 'price' to store the product price. The price is submitted with the form and used to process payments. Which attack would allow you to purchase an item for a lower price?
Parameter tampering modifies hidden fields or URL parameters.
Why this answer
Parameter tampering is the correct answer because the 'price' field is stored in a hidden form field, which is client-side data that can be modified before submission. By intercepting the HTTP request (e.g., using a proxy like Burp Suite) and changing the 'price' value to a lower amount, the attacker can purchase the item at a reduced cost. This exploits the lack of server-side validation of the price parameter.
Exam trap
The trap here is that candidates often confuse parameter tampering with CSRF, but CSRF does not allow modifying the request body; it only reuses existing parameters from a forged request, whereas parameter tampering directly alters the parameter value.
How to eliminate wrong answers
Option A is wrong because directory traversal targets file system paths (e.g., ../../../etc/passwd) to access unauthorized files, not form field values. Option C is wrong because Cross-Site Scripting (XSS) injects malicious scripts into web pages to steal cookies or execute client-side code, not to modify form data during submission. Option D is wrong because Cross-Site Request Forgery (CSRF) forces a user to perform unintended actions on a trusted site using their session, but it does not allow the attacker to directly alter the price value in the request; it only replays existing parameters.