Reputation: 19733
Web form security, changing field names
I've come across a website which changes it's field names every time it is refreshed, for example
<input value="" name="F337225905055ZJGKBU" type="text">
the second time I refreshed the webpage, it was
<input value="" name="F337225904870IUJ4RI" type="text">
The name of the field (i.e here it was the email field) kept changing its value. This is awesome because
- Hard to send automated requests (Still possible, the bot can request a new page every time and can find the name of the field from the HTML and send automated requests, but this makes it harder for script kiddies.)
Besides this, what are the other benefits for changing the field names in the form every time it is generated?
I'm a mobile app developer and I'm new to the web arena. I'm looking into the web space currently and am learning jQuery and Rails.
What are the general web security risks should I anticipate from the very beginning.
Upvotes: 0
Views: 158
Answers (1)
Reputation: 655369
This could be used to protect against Cross-Site Request Forgery attacks as the attacking site (probably) cannot guess the form fields’ names if they are associated to the user.
Upvotes: 1
Related Questions
- How to ensure that the user does not modify what he wants by changing the id of the object supposed to be modified via a form?
- Prevent change of hidden field
- Is there any security issue in using same name for textbox and table field?
- Preventing security risk from web forms
- HTML input names corresponence to database column names: how to protect from possible attacks
- What are the security risks if I disclose database field name to web user interface?
- How to change name attribute of a hidden field?
- ASP.NET Web Forms - Security of Web Forms
- Use different name in asp:hiddenfield
- Does naming your form fields the same as mysql actually pose any security risk?