Hidden Fields

We briefly touched on hidden fields in Chapter 3 when discussing HTML forms. Hidden fields are specified by the <INPUT TYPE=HIDDEN NAME=name > tag and are often used by Web application developers to pass information back and forth between forms and back-end programs that process the forms. Because HTTP is a stateless protocol, hidden fields provide the much-needed functionality for tracking a user's course through the application.

Some developers make the mistake of passing application configuration parameters to back-end application programs with hidden fields. In the case of the attack on acme-art.com, the hacker retrieved the configuration file for the shopping cart by looking at a hidden field in an HTML form. The following line led the hacker to the cart.ini configuration file and eventually to the list of authorized credit cards, ccauth.log:

<INPUT TYPE=HIDDEN NAME=_INIFILE VALUE="cart.ini">

Not only does such a mistake lead to information leakage, but it also allows the Web hacker to tamper with the data contained in the hidden fields by saving a local copy of the HTML code, modifying it, and resubmitting it to the back-end application.

We revisit hidden fields again when discussing session hijacking in Chapter 13 and e-shoplifting in Chapter 10. For now, we focus on spotting hidden fields within HTML. Searching for the string "TYPE=HIDDEN" enumerates all the occurrences of hidden fields within the HTML code of a Web page. To fully understand the functionality of each hidden field in an application is to prevent information leakage and vulnerabilities caused by users submitting tampered values in hidden fields.