URL tampering involves altering the query parameters in a URL to:
- Bypass security checks
- Access unauthorized data
- Exploit vulnerabilities in the application
For instance, by modifying parameters like script, deploy, compid, ns-at, and internalid in the URL, you can test how the application validates these inputs and whether it enforces security policies like authentication and authorization.
Purpose of URL Tampering:
- Identify Weaknesses: Detect if the application is vulnerable to unauthorized access or data manipulation.
- Test Security Measures: Ensure that security mechanisms like session validation, access control, and data integrity checks are functioning properly.
- Prevent Exploits: Protect the application from potential attacks that could exploit these vulnerabilities.
By performing URL tampering, you can determine if the application is secure or if it needs further enhancements to protect against unauthorized access and data breaches.
Real Use Case:
Original URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=1732&deploy=1&compid=TD2933758&ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M&internalid=227
1. Tamper with the script Parameter:
- Original:
script=1732 - Tampered Example: Change to
script=9999(non-existent script) or remove it entirely. - Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=9999&deploy=1&compid=TD2933758&ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M&internalid=227
- Expected Outcome: The application should not execute the script or should return an error or redirect to a safe page.
2. Tamper with the deploy Parameter:
- Original:
deploy=1 - Tampered Example: Change to
deploy=9999(non-existent deployment) or remove it. - Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=1732&deploy=9999&compid=TD2933758&ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M&internalid=227
- Expected Outcome: The application should reject the request or display an error, preventing unauthorized deployment versions.
3. Tamper with the compid Parameter:
- Original:
compid=TD2933758 - Tampered Example: Change to
compid=XYZ1234(a different company ID) or remove it. - Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=1732&deploy=1&compid=XYZ1234&ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M&internalid=227
- Expected Outcome: The application should not allow access if the
compiddoes not match, and it should redirect to the login page or show an error.
4. Tamper with the ns-at Parameter:
- Original:
ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M - Tampered Example: Replace with an invalid token like
ns-at=InvalidTokenor remove it. - Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=1732&deploy=1&compid=TD2933758&ns-at=InvalidToken&internalid=227
- Expected Outcome: Without a valid session token, the application should deny access and redirect to the login page.
5. Tamper with the internalid Parameter:
- Original:
internalid=227 - Tampered Example: Change to
internalid=9999(non-existent or different internal ID) or remove it. - Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl?script=1732&deploy=1&compid=TD2933758&ns-at=AAEJ7tMQ1_qCv2bxeR-o-LLXth5m74jKXytlDfDnj86m_zeTA2M&internalid=9999
- Expected Outcome: The application should validate the internal ID and either show an error or deny access if the ID is invalid or doesn’t exist.
6. Remove All Parameters:
- Tampered Example: Remove all parameters to see how the application handles the request.
- Tampered URL:
https://td2933758.extforms.netsuite.com/app/site/hosting/scriptlet.nl
- Expected Outcome: The application should redirect to the login page or display an error, preventing unauthorized access.
After performing these tampering tests, verify if the application appropriately handles unauthorized modifications by denying access or redirecting to the login page. If any tampered URL grants access or reveals sensitive information, it indicates a potential security vulnerability that needs to be addressed.