Don't hide sensitive information in hidden form fields

Form input in terms of information system security constitutes an "allowed path," that is, the data is not blocked. It is allowed into the server. Because users can save, edit and then submit HTML pages from their machine, it is possible to pass bogus and unexpected values to the server via these "hidden" form fields. Forms that use HIDDEN fields to send authentication information, for example, could provide an attacker with a way to gain unauthorized entry. The same is true when cookies are used to store information as they are equally vulnerable to client-side modification. Using HIDDEN form fields to maintain state is risky too, because the session information is not truly hidden and therefore allows an attacker to hijack sessions.

More Information Learn how unvalidate Web application input works and what programmers can do to secure Web applications. Keep your session tokens under lock and key. Visit this resource center and learn how to reduce the risk of application attacks.

One way around the problem of HIDDEN form fields is to encrypt the hidden values in a form and decrypt them when required by a script or database operation. However, the best way to temporarily store information required by different forms is by using a session cookie that is used to access either server-side maintained session values or a database that stores the temporary values during the user's visit to your site.

Whether you use HIDDEN form fields or not, if your site uses input from a form to build SQL statements to send to a database or as variables within a CGI script, you must not assume that the input is valid or non-malicious. There are a number of attacks where user input can be used to gain access to a Web server if the input data is not validated before being processed either on receipt or on publication. This means that all user input data needs to be checked before being sent on to another process. If any input data is used in building a Web page or retrieved from a database or any other source, it must be checked before it is published on the Web page. Sanity checks and filters on all such data will ensure that any erroneous data is removed and attacks such as SQL injection can be thwarted.

About the Author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Spyware, Adware and Trojans Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Security Services: Webroot Email Security SaaS Interview: Jim Kirkhope of NCR Trojan downloaders, droppers skyrocket, Microsoft says Kraken botnet balloons to dangerous levels New Storm attack exploits April Fool's Day Panda latest AV firm trying to adapt with the times Spyware, Adware and Trojans Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Tips for SQL injection protection Microsoft addresses XSS in Internet Explorer Internet Explorer open to spoofing, scripting attacks Software still plagued with security holes, researcher says Microsoft tools won't be quick fix for SQL injection attacks Microsoft identifies tools to address SQL injection attacks New defenses for automated SQL injection attacks Alarming SQL injection attacks Adobe Flash Player flaw previously patched, Symantec says Adobe zero day flaw being actively exploited in wild Application Attacks (Buffer Overflows, Cross-Site Scripting) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary barnacle  (SearchSecurity.com) botnet  (SearchSecurity.com) browser hijacker  (SearchSecurity.com) crimeware  (SearchSecurity.com) DSO exploit  (SearchSecurity.com) government Trojan  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) keylogger  (SearchSecurity.com) PUP  (SearchSecurity.com) talking Trojan  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.