Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a user edit the page source, manipulate hidden field values and then post the form with those values?

Tags:

html

On various sites, you often see in the page source some hidden values on forms (usually holding some kind of constant, key, ID, etc). Something like:

<input type="hidden" name="_submit_check" value="1">

I'd assume this website is double checking the form was posted by checking _submit_checks value for 1. Would it be possible to edit the source and change that to 0, then post the data and thus make the form fail to post server side?

This example isn't very dangerous to the server as it will simply ignore the request but are there any possible security risks with using hidden fields (other than the obvious: they can still read the value in the source, I'm more worried about if they can edit it).

like image 520
Zeritor Avatar asked Sep 13 '12 15:09

Zeritor


2 Answers

Yes a user could copy your html form, change the values and then post to your server. This is why it is important to always validate and sanitize user input including hidden input values on the server side and not just the client side(ie javascript).

like image 58
Jrod Avatar answered Oct 03 '22 19:10

Jrod


Yes you can edit it, and nowdays when browsers like Chrome and Firefox have integrated web development tools is easier to modify values. That's why you shouldn't trust on data received from user.

like image 38
Skatox Avatar answered Oct 03 '22 19:10

Skatox