Sin 9: Use of Magic URLs and Hidden Form Fields

Previous page
Table of content
Next page

Overview of the Sin

Imagine going to a web site to buy a car at any price you want! This could happen if the web site uses data from an HTML hidden form to determine the car price. Remember, theres nothing stopping a user from looking at the source content, and then sending an updated form with a massively reduced price (using Perl, for example) back to the server. Hidden fields are not really hidden at all.

Another common problem is Magic URLs: many web-based applications carry authentication information or other important data in URLs. In some cases, this data should not be made public, because it can be used to hijack or manipulate a session. In other cases, Magic URLs are used as an ad hoc form of access control, as opposed to using credential-based systems. In other words, users present their IDs and passwords to the system and upon successful authentication, the system creates tokens to represent the users.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Cisco Voice Gateways and Gatekeepers
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Sap Bw: a Step By Step Guide for Bw 2.0
Java Concurrency in Practice
.NET System Management Services
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy