Tampering
In it's most simple definition tampering is just modifying something that you are not supposed to modify. In a target system that could range from network traffic, to application data, to data in cold storage. The focus of this post will be on web tampering, specifically HTTP Hidden Field tampering.
HTTP Hidden Fields
A typical web application interacts with users using HTML forms. Within a web application a developer may use a hidden field as a way to store status information. OWASP provides an example of an e-commerce website that uses one of the hidden fields to store the cost of a particular item.
There are a couple dangerous things about this. The first is that the hidden fields are typically plain text (really more of an information disclosure issue, but still a vulnerability), and the second is that a bad actor could save a form, edit the hidden field, and then send it back to the server. Hidden fields are usually considered trusted by the web application, so the web app will readily accept the altered hidden field data.
There are some options to help mitigate the risk of http hidden field modification. One way is to use an HTTP_REFERER, however that type of validation can often be defeated by a bad actor. It seems to be the equivalent of closing an open door, but not locking it. The closed door will prevent the most basic attempts, but anyone who puts in minimal effort to turn the knob can still do what they want.
A better option is to use a session ID and keep the option only stored on the server. The browser and server communicate using the session ID, so it mitigates the risk of a bad actor being able to read stored data, and also prevents the data from being manipulated.
No comments:
Post a Comment