Manage Learn to apply best practices and optimize your operations.

Why form fields aren't a good place to hide sensitive information

Web security guru Michael Cobb, takes an in-depth look at the dangers of HIDDEN form fields, how attackers use them to gain unauthorized entry or hijack sessions, and most importantly, how to secure the information sent in these fields.

Interactive Web sites use HTML forms for user feedback, online customer registration, authentication, shopping...

carts and so on. The input elements such as TEXT and RADIO are used to send data to a script or application for processing on the Web server, which generates a response based on the data received. Many sites use the form input type HIDDEN in order to pass data to the Web server without having to show it on the Web page and cluttering it with information that is irrelevant to the user. HIDDEN values are also used to maintain state information, since HTTP itself does not maintain state. Unfortunately, the attribute name HIDDEN is misleading. Although the value of a HIDDEN form field isn't displayed in a Web page, it can easily be viewed by any user who understands the View Source command found in most browsers.

Form input in terms of information system security constitutes an "allowed path," that is, the data is not blocked. It is allowed into the server. Because users can save, edit and then submit HTML pages from their machine, it is possible to pass bogus and unexpected values to the server via these "hidden" form fields. Forms that use HIDDEN fields to send authentication information, for example, could provide an attacker with a way to gain unauthorized entry. The same is true when cookies are used to store information as they are equally vulnerable to client-side modification. Using HIDDEN form fields to maintain state is risky too, because the session information is not truly hidden and therefore allows an attacker to hijack sessions.

More information

Learn how unvalidate Web application input works and what programmers can do to secure Web applications.

Keep your session tokens under lock and key.

Visit this resource center and learn how to reduce the risk of application attacks.

One way around the problem of HIDDEN form fields is to encrypt the hidden values in a form and decrypt them when required by a script or database operation. However, the best way to temporarily store information required by different forms is by using a session cookie that is used to access either server-side maintained session values or a database that stores the temporary values during the user's visit to your site.

Whether you use HIDDEN form fields or not, if your site uses input from a form to build SQL statements to send to a database or as variables within a CGI script, you must not assume that the input is valid or non-malicious. There are a number of attacks where user input can be used to gain access to a Web server if the input data is not validated before being processed either on receipt or on publication. This means that all user input data needs to be checked before being sent on to another process. If any input data is used in building a Web page or retrieved from a database or any other source, it must be checked before it is published on the Web page. Sanity checks and filters on all such data will ensure that any erroneous data is removed and attacks such as SQL injection can be thwarted.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a site expert, answers user questions on application and platform security.

Next Steps

Web application attacks security guide: Preventing attacks and flaws

Web application attacks: Building hardened apps

Web application attacks: Types and countermeasures

This was last published in December 2005

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)