Gary is using an email system that allows web based access and is popular among employees of the company he is attacking. He is testing this system to see if there is a way to gain access to other users accounts. He signs up for an account and begins to use it. He notices in the URL that information about his account name is present:
Http://mail.exampleco.com/inbox.aspx?lang=en&mailbox=Gary+Tennenbaum
He replaces his name with someone else's name in the target company that he gathered from a job posting site. What attack is he attempting?
A) URL obfuscation attack
B) Directory traversal attack
C) Query string parameter manipulation attack
D) A path string attack

Question

Quizplus · Accepted Answer

If the system authenticated the client via the browser, then changing the name being passed to the account might allow the attacker to assume the identity of the target account. If the parameters are not in the query string, they could be in the http header and Paros could be used to change and resubmit them. Instead of something simple like names, session ID values are commonly used in these attacks.

Gary Is Using an Email System That Allows Web Based