Avoid hidden form fields to prevent parameter tampering (Javascript/HTML5)

CRITICAL

Rule Definition
Since they are not rendered visible, hidden inputs are sometimes erroneously perceived as safe. But similar to session cookies, hidden form inputs store the software’s state information client-side, instead of server-side. This makes it vulnerable. If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input.

Remediation
Instead of using hidden form fields, the application designer can simply use one session token to reference properties stored in a server-side cache. When an application needs to check a user property, it checks the session cookie with its session table and points to the user's data variables in the cache / database. This is by far the correct way to architect this problem. If the above technique of using a session variable instead of a hidden field cannot be implemented, a second approach is as follows. The name/value pairs of the hidden fields in a form can be concatenated together into a single string. A secret key that never appears in the form is also appended to the string. This string is called the Outgoing Form Message. An MD5 digest or other one-way hash is generated for the Outgoing Form Message. This is called the Outgoing Form Digest and it is added to the form as an additional hidden field.

Violation Code Sample

Example 1 (html): <input type="hidden" id="1008" name="cost" value="70.00"> ----------------------------------------------- Example 2 (Struts): <s:hidden name="url" value=http://www.mkyong.com /> or: <nested:hidden name="otherPayList" property="rowStatus" /> or: <html:hidden property="message" write="true"> ----------------------------------------------- Example 3 (JSF): <h:inputHidden value = "Hello World" id = "hiddenField" /> ----------------------------------------------- Example 4 (ASP.NET): <asp:hiddenfield id="ValueHiddenField" onvaluechanged="ValueHiddenField_ValueChanged" value="" runat="server"/> ----------------------------------------------- Example 5 (JSF/IceFaces): <ice:inputHidden value="#{sessionBean.userToken}" id="userToken" /> ----------------------------------------------- Example 6 (JSF/Primefaces): <p:inputText value="hello world" id="hiddenfield" type="hidden" /> ----------------------------------------------- Example 7 (Spring): <form:hidden path = "id" value = "1" />

Fixed Code Sample

Avoid hidden form field

Reference

CWE-472: External Control of Assumed-Immutable Web Parameter https://cwe.mitre.org/data/definitions/472.html CWE-642: External Control of Critical State Data https://cwe.mitre.org/data/definitions/642.html OWASP Attacks - Web Parameter Tampering https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Related Technologies

Health Factor

Security

Technical Criterion
Secure Coding - Input Validation

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

89.95%

Pharmaceuticals

75.08%

Insurance

87.64%

Want more stats? Register now!