Parameter Tampering in Adonisjs

Scan your API now

Parameter Tampering in Adonisjs

Parameter tampering occurs when an attacker manipulates request parameters to alter application logic, often exploiting assumptions made by developers about data integrity. In Adonisjs, this commonly manifests through query strings, form payloads, or JSON request bodies that are directly trusted by the framework without proper validation. Common Adonisjs-specific patterns include:

// routes.js - vulnerable endpoint
Route.get("/user", "UserController.show")
    .as("user.show")
    .middleware("auth")
    .params("id", "user_id")

When a request like GET /user?id=123 is sent, Adonisjs extracts the id parameter and passes it to the controller. If the controller directly uses this value in a database query without validation, an attacker can modify it:

// UserController.js - vulnerable logic
const { id } = this.params()
const user = await Database.query('SELECT * FROM users WHERE id = ?', [id])

An attacker could change id=123 to id=123%20OR%201=1 if the query builder doesn't use parameter binding, leading to unauthorized data access. Another pattern involves using query parameters to override routing behavior:

// routes.js - path parameter misuse
Route.get("/api/status", "StatusController.index")
    .as("status.index")
    .params("mode", "default")

If the controller treats mode as a trusted flag for privileged operations:

// StatusController.js - insecure logic
if (this.params().mode === "admin") {
  return this.response.send({ privileged: true })
}

An attacker can craft a request like GET /api/status?mode=admin to bypass access controls. These patterns are particularly dangerous in Adonisjs because:

  • The framework encourages convention over configuration, which can lead developers to assume certain parameters are safe
  • Adonisjs's routing system normalizes parameter extraction, making it easy to accidentally trust user-supplied values
  • The Lucid ORM makes it simple to construct queries where parameter values are interpolated directly

Attackers typically exploit these through:

  • IDOR (Insecure Direct Object Reference): Manipulating id parameters to access unauthorized records
  • Privilege escalation: Changing boolean flags or mode values to gain elevated access
  • Logic bypass: Altering conditional parameters that control business logic flow

Real-world examples include manipulating shopping cart totals by changing ?price=100 to ?price=1 or altering pagination parameters to enumerate internal IDs.

Adonisjs-Specific Detection and Remediation

Detecting parameter tampering in Adonisjs requires understanding both the framework's parameter handling and common insecure patterns. middleBrick identifies these risks through its Parameter Authorization check, which validates that all incoming parameters are explicitly authorized for use in the context they're received.

How middleBrick detects parameter tampering:

  • Analyzes routing definitions to map expected parameters against actual request parameters
  • Checks controller logic for direct use of request parameters in sensitive operations
  • Validates that boolean flags, numeric values, and identifiers are properly constrained
  • Scans for direct database query interpolations that could be manipulated

For example, when scanning a route like:

Route.get("/profile", "ProfileController.show")
    .as("profile.show")
    .params("user_id")

middleBrick will verify that the user_id parameter is only accepted if explicitly authorized in the controller action, and that it's not used in ways that could allow unauthorized access.

Effective remediation in Adonisjs requires:

  1. Using route parameters and query parameters only for navigation, not for security decisions
  2. Explicitly defining allowed parameters in controller actions
  3. Validating parameter types and values before use
  4. Using Adonisjs's built-in validation and policy systems

Code fix example using Adonisjs validation:

// ProfileController.js - secure implementation
use Validations

class ProfileController {
  async show ({ params, auth }) {
    const schema = {
      user_id: Validations.number({ minimum: 1 })
    }
    
    const payload = await validate(params, schema)
    
    // Enforce ownership
    if (payload.user_id !== auth.user.id) {
      throw new Error("Access denied")
    }
    
    return await Database.query('SELECT * FROM users WHERE id = ?', [payload.user_id])
  }
}

Alternative using policy checks:

// ProfileController.js - policy-based approach
use Policy

class ProfileController {
  async show ({ params, auth }) {
    const userId = parseInt(params.user_id, 10)
    
    // Use Adonisjs policy to check access
    if (!await auth.user.can('view-profile', userId)) {
      return this.response.status(403).send({ error: "Unauthorized" })
    }
    
    const user = await User.findOrFail(userId)
    return this.response.send(user)
  }
}

middleBrick will flag configurations where parameters like user_id are used without such validation, providing specific findings with remediation guidance aligned with OWASP API Top 10 A01:2023 Broken Object Level Authorization.

FAQ

Q: How does middleBrick specifically identify parameter tampering risks in Adonisjs applications?

A: middleBrick analyzes Adonisjs routing definitions and controller logic to detect when user-controllable parameters are used in sensitive operations without proper validation. It checks for direct database interpolations, unauthorized parameter usage, and missing authorization checks, mapping findings to OWASP API Top 10 A01.

Q: Can I use middleBrick to scan my Adonisjs routes without modifying my code?

A: Yes. middleBrick performs black-box scanning by submitting requests to your API endpoints and analyzing responses, routing configurations, and parameter usage patterns. It doesn't require code changes or credentials.

Q: Does middleBrick fix parameter tampering vulnerabilities automatically?

A: No. middleBrick identifies risks and provides remediation guidance, but does not modify code or apply patches. You must implement fixes in your Adonisjs application using validation, policies, or authentication checks.

Q: How often should I scan for parameter tampering in Adonisjs applications?

A: For critical APIs, use continuous monitoring (Pro plan) to detect new parameter exposure risks as routes evolve. For most teams, monthly scans (Starter plan) provide adequate coverage.

Q: Can I integrate parameter tampering checks into my CI/CD pipeline?

A: Yes. Use the middleBrick GitHub Action to scan staging APIs during pull requests and fail builds if security risks exceed your threshold.

Q: Does parameter tampering detection work for JSON APIs built with Adonisjs?

A: Yes. middleBrick scans all request types, including JSON payloads, query parameters, and form data, detecting tampering risks across all parameter sources.

risk_summary

[object Object]
Scan your API now Free API security scan

Related Pages

Adonisjs API SecurityAdonisjs security guide covering BOLA vulnerabilities, CORS misconfigurations, and input validation pitfalls. Learn to hParameter Tampering AttackLearn how parameter tampering attacks manipulate API data to bypass security controls and access unauthorized resources.CWE-1104 in AdonisjsLearn how CWE-1104 affects AdonisJS applications with specific attack patterns, detection methods using middleBrick, andCWE-116 in AdonisjsLearn how CWE-116 (Improper Encoding) affects Adonisjs applications, how to detect it with middleBrick's API scanner, anCWE-113 in AdonisjsHow CWE-113 CRLF injection vulnerabilities manifest in Adonisjs applications, with specific detection methods and AdonisCWE-1039 in AdonisjsLearn how CWE-1039 (ReDoS) appears in Adonisjs apps, how to detect it with middleBrick, and fix it using Adonisjs validaHipaa for AdonisjsMiddleBrick scans Adonisjs APIs for HIPAA compliance risks including data exposure, missing encryption, and authenticatiGdpr for AdonisjsGDPR compliance risks and remediation in AdonisJS: specific API exposure patterns, detection methods, and native framewoIso 27001 for AdonisjsmiddleBrick identifies ISO 27001-related vulnerabilities in Adonisjs applications by detecting IDOR flaws, insecure deseCis for AdonisjsAdonisjs-specific API security flaws involving improper authorization, detection, and remediation with middleBrick scannAdonisjs in E CommerceLearn how e commerce vulnerabilities like IDOR and input validation flaws manifest in Adonisjs APIs, how middleBrick detAdonisjs in EducationLearn how education around IDOR, BOLA, and input validation applies to Adonisjs APIs, with detection and remediation ste