Question about hidden types
Results 1 to 4 of 4

Thread: Question about hidden types

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    9

    Question about hidden types

    Anyone know about hacking hidden input types ?
    ie
    input type="hidden"

    I have a website which has hidden input types and have read that these are hackable. How are they hackable and what risk are they to my site ?

    Thanks
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    SamSpade from samspade.org has a check box in it's 'crawl website' feature to search for hidden form values.
    use that and you can find out just what the values are.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
    Share on Google+

  3. #3
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007

    Re: Question about hidden types

    Originally posted by keen2learn
    Anyone know about hacking hidden input types ?
    ie
    input type="hidden"

    I have a website which has hidden input types and have read that these are hackable. How are they hackable and what risk are they to my site ?

    Thanks
    They aren't a problem, the REAL problem is that when people use them, they often set up a lazy system that allows a malicious user to substitute values when they send in the information.

    For instance...
    Some badly-designed sites, instead of keeping a database of prices for their products, instead WRITE the price into the webpage as a hidden value. When people submit their purchase, the browser takes this value and submits it along with everything else. But there is nothing to keep someone from saving the html file, editing the price that is stored in the page, and then clicking submit, and making the server think they are buying a $1 item instead of a $200 item.
    [HvC]Terr: L33T Technical Proficiency
    Share on Google+

  4. #4
    Junior Member
    Join Date
    Oct 2001
    Posts
    9

    Thanks 2 Tedob1 and Terr

    Thanks Tedob1 I'll take a look at samspade.org (actually I had a copy which expired months ago - I'll take another look).

    Terr, thanks also to you, you have lessened my worry. I copied a lot of the source from another page, however I don't use any critical data within the page (like prices etc.) as I've seen how they can be altered.

    Thanks again 2 u both.
    I really appreciate your responses.

    - Cheers
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •