Hidden Field Manipulation Hacks in Web Applications
Some websites and applications embed hidden fields within web pages to hack and pass state information between the web server and the browser. Hidden fields are represented in a web form as <input type=hidden>.
Because of poor coding practices, hidden fields often contain confidential information (such as product prices on an e-commerce site) that should be stored only in a back-end database. Users shouldn’t see hidden fields — hence the name — but the curious attacker can discover and exploit them with these steps:
View the HTML source code.
To see the source code in Internet Explorer, choose Page→View Source. In Firefox, choose View→Page Source.
Change the information stored in these fields.
For example, a malicious user might change the price from $100 to $10.
Repost the page back to the server.
This step allows the attacker to obtain ill-gotten gains, such as a lower price on a web purchase.
Using hidden fields for authentication (login) mechanisms can be especially dangerous. You could come across a multifactor authentication intruder lockout process that relies on a hidden field to track the number of times the user attempted to log in. This variable could be reset to zero for each login attempt and thus facilitate a scripted dictionary or brute-force login attack.
Several tools, such as web Proxy (which comes with webInspect) or Paros Proxy, can easily manipulate hidden fields.
If you come across hidden fields, you can try to manipulate them to see what can be done. It’s as simple as that.