Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Web security, are there issues with hidden fields (no sensitive data)?

I was having a discussion with coworkers. We have to implement some security standards. We know not to store 'sensitive, addresses, date of birth' information in hidden fields but is it OK to use hidden fields for your application, in general.

For example:

action=goback

It seems like it would be safer to use hidden fields for that kind of information as opposed to adding it in the query string. It is one less piece of information that a hacker could use against your application.

like image 849
Berlin Brown Avatar asked Jan 05 '09 17:01

Berlin Brown


People also ask

Are hidden fields secure?

Overview. Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. However, hidden fields are not secure and can be easily manipulated by users.

What are hidden fields used for on a web form?

Hidden fields tell you exactly where they came from without relying on the users' memory or desire to fill that in. There are additional codes you can add if you need advanced tracking. They can be added using the Google Tag Manager or by making changes to your website itself.

What are hidden data fields?

A hidden field let web developers include data that cannot be seen or modified by users when a form is submitted. A hidden field often stores what database record that needs to be updated when the form is submitted.


2 Answers

A hacker can access hidden fields just as easily as querystring values by using an intercepting proxy (or any number of tools).

I dont think there is anything wrong with using hidden fields as long as they aren't used for anything sensitive and you validate them like you would any other value from the client.

like image 160
Neil Aitken Avatar answered Sep 20 '22 17:09

Neil Aitken


Making a field "hidden" has pretty much nothing to do with security, and should be considered a UI decision. Any "hacker" will read your HTML source anyway.

Better to either not show sensitive information at all, or, if you must, to use SSL (to prevent data interception by network intermediaries) and some combination of login challenges (to prevent unauthorized access).

like image 21
Kenan Banks Avatar answered Sep 20 '22 17:09

Kenan Banks