Forging requests is a method that attackers use to circumvent the front end GUI application to directly submit information for back end processing. The goal of the attacker is to send HTTP POST/GET requests through an intercepting proxy with data values that is not supported, guarded against or expected by the applications business logic.
Some examples of forged requests include exploiting guessable or predictable parameters or expose “hidden” features and functionality such as:
- Test for debug parameters: enabling debugging or presenting special screens or windows that are very useful during development but may leak information or bypass the business logic
- Easter eggs: an intentional inside joke
To do:
- Review the project documentation looking for guessable, predictable, or hidden functionality of fields.
- Insert logically valid data in order to bypass normal business logic workflow.