Web security, are there issues with hidden fields (no sensitive data)?

后端 未结 10 1562
余生分开走
余生分开走 2020-12-31 04:36

I was having a discussion with coworkers. We have to implement some security standards. We know not to store \'sensitive, addresses, date of birth\' information in hidden

10条回答
  •  借酒劲吻你
    2020-12-31 04:51

    Hidden fields are not always an issue, but they should always ring alarm bells as they have two potential problems:

    1) If the data is sensitive, it exposes it to the client (e.g. using a proxy, or simply view source - and it is pointless to try and prevent this programmatically)

    2) If the data is interpreted by the server, a knowledgeable user can change it. To take a silly example, if the hidden field contains the user's bank balance, they could use a proxy or some non standard client to make the server think their bank balance is anything they choose.

    The second one is a big source of vulnerabilities in webapps. Data associated with the session should be held server side, unless you have a means of validating it on the server (for example if the field is signed or encrypted by the server).

    Provided you are sure you're not falling into either of these traps, they can be OK to use. As a rule of thumb, I would not use hidden fields except for data you would be happy to see in the query string, or if javascript needs them for processing. In the latter case, you still need to make sure the server is validating though, don't assume the client will run your javascript.

提交回复
热议问题