An attacker has been successfully modifying the purchase price of items purchased at a web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the IDS logs and found no attacks that could have caused this. What is the mostly likely way the attacker has been able to modify the price?

A.
By using SQL injection

B.
By using cross site scripting

C.
By changing hidden form values in a local copy of the web page

D.
There is no way the attacker could do this without directly compromising either the web server or the database

Explanation:
Changing hidden form values is possible when a web site is poorly built and is trusting the visitors computer to submit vital data, like the price of a product, to the database.