Recipe 3-4: Adding Fake Hidden Form Fields
This recipe shows you how to add fake hidden form field data to existing forms and alert if the data is ever manipulated.
Ingredients
- ModSecurity Reference Manual4
- SecStreamOutBodyInspection directive
- SecContentInjection directive
- STREAM_OUTPUT_BODY variable
- @rsub operator
Hidden Form Fields
HTML hidden form fields are just like normal form fields, except for one distinct difference: The browser doesn’t display them to the user. Hidden fields are used as a mechanism to pass data from one request to another, and their contents are not supposed to be altered. Web developers often mistakenly believe that hidden parameter data cannot be manipulated, but this is not the case. The browser does hide these form fields, but the client still can access the data. He can either view the source or use a browser plug-in. Figure 3-7 shows an example of using the Groundspeed plug-in for the Firefox browser to view hidden form fields on the Twitter login page.
The main benefit of the Groundspeed plug-in is that you can correlate a page’s raw HTML elements to the actual user interface. Figure 3-7 shows a hidden form field named context with a value of front within the Sign Up form.
This is how the raw HTML hidden form field looks in the source:
<input type="hidden" value="front" name="context">Figure 3-7: Hidden form fields on Twitter’s login page
When the user clicks the ”Sign up for Twitter” button, the hidden form field data is sent, ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
