Monday, 12 March 2007
I wouldn't necessarily call it a security hole but it may be for some people.
And all you need to expose it is the Web Developer Extension and a copy of Firefox.
In the 'olden' days, when I created a form, anything I didn't want the user to see was hidden in an input box also known as hidden:
<input type="hidden" name="colour" value="red">
As I have developed, I have still used this technique but less frequently. I have switched from HTML development to PHP development which allows so much more behind-the-scenes gubbins.
However, a lot of people are using hidden fields for important values such as username.
Take this scenario:
I register with a site. Then, I want to change my details. If it is built using hidden tags, and my username is one of them, I could potentially change the details for any other known user on the site.
On the extension, go to Forms > Display Form Detail
If the script relies on the username being in a hidden form, the chances are that when the script updates the database, it will only look for the username. Simply change the username and click Go and if it is built this way, you can change the user details for anyone else to what's on your form.
Low level hacking if you will!
Now I didn't write this to tell you how to ruin other people's websites. I wrote this to highlight security holes in your web pages.
If you use any forms on your site, run them through the extension and make sure that no other accounts can be altered as a result of a crafty user.
The common use of hidden tags, like I said above, is for login names. They can also be used for IP address recording but beware, if you run a service that limits activities based upon the IP address submitted with a form, this can be changed too.
If you are running HTML forms and potentially suffer the problems listed above, do yourself a favour and learn PHP!
It's so much more fun!
You may also be interested in reading:
Comments are manually approved and hence can a while to appear. Questions, informative posts, and feedback comments are gladly accepted. Spam is deleted. Spam-type comments have their links removed (Comment Policy)
Thank you to all previous commenters.
Comments are now prohibited for this post.
This could be for a number of reasons but is most likely due to prevent the discussion from digressing.