Validating form data using hidden fields

One way around the problem of HIDDEN form fields is to encrypt the hidden values in a form and decrypt them when required by a script or database operation.However, the best way to temporarily store information required by different forms is by using a session cookie that is used to access either server-side maintained session values or a database that stores the temporary values during the user's visit to your site. The input elements such as TEXT and RADIO are used to send data to a script or application for processing on the Web server, which generates a response based on the data received.Many sites use the form input type HIDDEN in order to pass data to the Web server without having to show it on the Web page and cluttering it with information that is irrelevant to the user.Although the value of a HIDDEN form field isn't displayed in a Web page, it can easily be viewed by any user who understands the View Source command found in most browsers.Form input in terms of information system security constitutes an "allowed path," that is, the data is not blocked. Because users can save, edit and then submit HTML pages from their machine, it is possible to pass bogus and unexpected values to the server via these "hidden" form fields.Forms that use HIDDEN fields to send authentication information, for example, could provide an attacker with a way to gain unauthorized entry.The same is true when cookies are used to store information as they are equally vulnerable to client-side modification.

An attacker can change the HTML in any way they choose: rather than account names.

To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows.

All sections should be reviewed The most common web application security weakness is the failure to properly validate input from the client or environment.

Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against.

Detecting attempts to find these weaknesses is a critical protection mechanism.

Leave a Reply