Hidden Field Manipulation attack
- When a user makes selection on an HTML page,the selection is typically stored as form field values and sent to the application as and HTTP request(GET or POST)
- HTML can also store field values as Hidden fields,which are not rendered to screen by the browser,but are collected and submitted as parameters during form submission
- Attacker can examine the HTML code of the page and change the hidden field values in order to change post requests to server
Vulnerable HTML code
<form method="post" action="page.aspx">
<input type="hidden" name="PRICE" value="200">
Product name : <input type="text" name="product" value="shop" name="product" value="Shirt"><br>
Product price:200.00"><br>
<input type="submit" value="submit">
</form>
Normal Request
http://www.shop.com/page.aspx?product=Shirt&price=200
Malicious Request
http://www.shop.com/page.aspx?product=Shirt&price=2
0 comments:
Post a Comment