[Owasp-guide] Hidden Fields

Dunkle, Edward (Edward) edward.dunkle at verizon.com
Mon Mar 25 21:34:04 UTC 2013

The Data Validation page (https://www.owasp.org/index.php/Data_Validation)<https://www.owasp.org/index.php/Data_Validation>  contains a section on Hidden Fields.  Unfortunately, the sections are not numbered to match the Table of Contents making it a little difficult to see where the next section begins.

In general, the content seems accurate, but there are a couple of strongly worded phrases and perhaps some missing content that I hope you will consider.

First, the strongly worded text:

1.  "their use exposes the inner workings of your application" - this is not always true.  You could reword this as "their use might expose the inner workings of your application".  The name of the hidden field may be obtuse and offer no help to an attacker and their values may be likewise innocuous such as random numbers or letters.

2.  "Code containing hidden fields should be rejected during code reviews."   - this does not seem to be consistent with all the other content above it and there is no explanation.  This implies that a web application with a hidden field on a page would fail an audit or that it definitely has an exploitable vulnerability.  Is this someone's opinion?  How did it get stuck in here?  Is it necessary to read the entire guide to understand the basis for this comment?  There are actually some valid uses for hidden fields, including protection from CSRF on forms that initiate a transaction.  Can someone verify that the subject quote was a valid edit and provide some background explanation along with it on the page?

Some additional introductory content to add here might be something like:

Hidden Fields should be validated just like any other form field on the page.  Consider that their values may have been changed since they are not really hidden on the client side but are merely not exposed on the visible page.  Encryption may be needed to protect confidential values.  Integrity checks might be needed to ensure the values were not changed on the client side.

Instead of "In general, only use hidden fields for page sequence."  you could say "In general, you should avoid use of hidden fields and only use them when other options are not feasible."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130325/5de0e6c3/attachment.html>

More information about the Owasp-guide mailing list