Reputation: 32500
Cross Site Scripting - Hidden Form Fields
My application is being penetration tested.
One of the XSS items being flagged is that Im using a hidden form field to store a record id in a browser/search screen then using id this to open the full record. (via a post)
I'm struggling to see how this is an XSS attack. Am I missing something?
Upvotes: 1
Views: 4653
Answers (3)
Reputation: 31
One possibility can be if you are not filtering the input of the hidden field. Hidden fields self are no xss attack vector.
Are you sure 'No XSS Attack Vector"? Don't convey wrong sense of security unless you don't know and haven't tried to test it. Always suggest users to validate and filter inputs.
Upvotes: 0
Reputation: 41165
What happens if the form is submitted with that value changed?
Exposing an actual database id risks allowing access to rows in your DB that belong to another user.
If you are exposing a database id and using it in a SQL query, you should ensure that the SQL query uses a bind variable for that id (or properly escapes it, but bind variables are better) and do business rule checks to make sure the row corresponding to the id actually should be visible to the current application user.
This isn't really an XSS issue, but it's definitely a security issue.
Upvotes: 2
Reputation: 101261
One possibility can be if you are not filtering the input of the hidden field. Hidden fields self are no xss attack vector.
Upvotes: 0
Related Questions
- Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
- Input type hidden Cross site script attack
- XSS Cross Site Scripting - Jsp <Input> tag
- Cross Site Scripting with Hidden Inputs
- Cross Site Scripting issue on jsp input tag
- XSS Cross Site Scripting - on JSP input tag
- Cross site scripting forms
- Submitting hidden forms HTML
- Cross site scripting (no iframes or anything)
- cross site scripting in JavaScript