Forum Discussion

Wasfi_182818's avatar
Wasfi_182818
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

Parameter tampring of the parameter

Hi;

 

Why would the passing of parameter "nick" to the user_menu.php yield disclosing the details of user1's CC details?

 

http://10.10.200.10/user_menu.php?nick=student1

 

This may yield the following in the browser:

 

Name CC Email Address Phone number User1's 1234567812345678 xx@xxx.com xxxxx 12345678

 

I mean if parameter nick does not exist in the first place as an application URL parameter, why is the hacker ending up with the details of User1's CC?

 

Kindly Wasfi

 

  • Hi Wasfi, 'nick' is a valid parameter of the user_menu.php page and it does exist (the page is expecting this parameter). When the user_menu.php page is requested with the the 'nick' parameter and a value ('student1' in this case), the page displays the user menu of the username submitted as a value to the nick parameter. Within the user menu page, one can see his personal details like address, phone etc.

     

3 Replies

  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account

    Hi Wasfi, 'nick' is a valid parameter of the user_menu.php page and it does exist (the page is expecting this parameter). When the user_menu.php page is requested with the the 'nick' parameter and a value ('student1' in this case), the page displays the user menu of the username submitted as a value to the nick parameter. Within the user menu page, one can see his personal details like address, phone etc.