Parameter tampring of the parameter
Hi;
Why would the passing of parameter "nick" to the user_menu.php yield disclosing the details of user1's CC details?
http://10.10.200.10/user_menu.php?nick=student1
This may yield the following in the browser:
Name CC Email Address Phone number User1's 1234567812345678 xx@xxx.com xxxxx 12345678
I mean if parameter nick does not exist in the first place as an application URL parameter, why is the hacker ending up with the details of User1's CC?
Kindly Wasfi
Hi Wasfi, 'nick' is a valid parameter of the user_menu.php page and it does exist (the page is expecting this parameter). When the user_menu.php page is requested with the the 'nick' parameter and a value ('student1' in this case), the page displays the user menu of the username submitted as a value to the nick parameter. Within the user menu page, one can see his personal details like address, phone etc.