How to Crack iOS Passwords
How to Exploit the Vulnerability of a Missing Patch Using Metasploit
Prevent Hacks with Network Analyzers

Hidden Field Manipulation Hacks in Web Applications

Some websites and applications embed hidden fields within web pages to hack and pass state information between the web server and the browser. Hidden fields are represented in a web form as <input type=”hidden”>.

Because of poor coding practices, hidden fields often contain confidential information (such as product prices on an e-commerce site) that should be stored only in a back-end database. Users shouldn’t see hidden fields — hence the name — but the curious attacker can discover and exploit them with these steps:

  1. View the HTML source code.

    To see the source code in Internet Explorer, choose Page→View Source. In Firefox, choose View→Page Source.

  2. Change the information stored in these fields.

    For example, a malicious user might change the price from $100 to $10.

  3. Repost the page back to the server.

    This step allows the attacker to obtain ill-gotten gains, such as a lower price on a web purchase.

Using hidden fields for authentication (login) mechanisms can be especially dangerous. You could come across a multifactor authentication intruder lockout process that relies on a hidden field to track the number of times the user attempted to log in. This variable could be reset to zero for each login attempt and thus facilitate a scripted dictionary or brute-force login attack.

Several tools, such as web Proxy (which comes with webInspect) or Paros Proxy, can easily manipulate hidden fields.

image0.jpg

If you come across hidden fields, you can try to manipulate them to see what can be done. It’s as simple as that.

blog comments powered by Disqus
How Keystroke Logging Can be Used to Hack Passwords
Types of High-Tech Password Cracking
How to Test and Circumvent MAC Address Controls
Prevent Network Hacking with Port Scanners
Countermeasures for Wireless Network Hack Attacks
Advertisement

Inside Dummies.com