02 Mar, 2023

Hidden Field Manipulation

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Hidden Field Manipulation is a type of web application attack that involves modifying the values of hidden fields in a form. Hidden fields are used in HTML forms to store data that is not meant to be seen or modified by users, such as session IDs or other sensitive information.

In HFM attacks, an attacker can modify the values of these hidden fields to bypass security measures, gain unauthorized access, or perform other malicious actions. This can be accomplished by manipulating the HTML code of the form, using automated tools to modify the fields, or exploiting vulnerabilities in the server-side code that processes the form data.

Example of vulnerable code on different programming languages:


in PHP:

				
					<form method="post" action="process_form.php">
   <input type="hidden" name="user_id" value="<?php echo $_SESSION['user_id']; ?>">
   <input type="text" name="name">
   <input type="submit" value="Submit">
</form>

				
			


In this example, the user_id value is stored in a hidden field, which can be manipulated by an attacker. A secure way to implement this would be to store the user_id in a session variable on the server-side and use that value to process the form data.

• in Java:

				
					<form method="post" action="process_form.jsp">
   <input type="hidden" name="user_id" value="<%= session.getAttribute("user_id") %>">
   <input type="text" name="name">
   <input type="submit" value="Submit">
</form>

				
			


Similar to the PHP example, the user_id value is stored in a hidden field, which can be manipulated by an attacker. A secure way to implement this would be to store the user_id in a session variable on the server-side and use that value to process the form data.

• in Python:

				
					<form method="post" action="process_form.py">
   <input type="hidden" name="user_id" value="{{ session['user_id'] }}">
   <input type="text" name="name">
   <input type="submit" value="Submit">
</form>

				
			


Once again, the user_id value is stored in a hidden field, which can be manipulated by an attacker. A secure way to implement this would be to store the user_id in a session variable on the server-side and use that value to process the form data.

Examples of exploitation Hidden Field Manipulation

Authentication bypass:

In a web application that uses a hidden field to store the user ID or session ID, an attacker can manipulate the value of the hidden field to gain access to another user’s account. For example, if the value of the hidden field is set to the user ID of an administrator, the attacker can change it to their own user ID to gain administrative privileges.

Payment manipulation:

In an e-commerce website that uses a hidden field to store the price of a product, an attacker can manipulate the value of the hidden field to purchase the product at a lower price. For example, if the value of the hidden field is set to the price of $100, the attacker can change it to $50 to purchase the product at a discounted rate.

Data tampering:

In a form that uses a hidden field to store the data related to the form submission, an attacker can manipulate the value of the hidden field to modify the data that is submitted. For example, if the value of the hidden field is set to the ID of a record in a database, the attacker can change it to modify the record in the database.

CSRF attack:

In a Cross-Site Request Forgery (CSRF) attack, an attacker can use a hidden field to inject a malicious payload into a form submission that is triggered when a victim user visits a website or clicks on a link. For example, if the value of the hidden field is set to a URL that points to a malicious website, the attacker can trick the victim user into submitting the form and redirecting them to the malicious website.

Privilege escalation techniques for Hidden Field Manipulation

Manipulating session variables:

One common technique for privilege escalation through HFM is to manipulate the values of session variables stored in hidden fields. If a web application stores user privileges or roles in session variables, an attacker can manipulate these values to gain elevated access.

For example, if a user’s session variable stores their role as “user,” an attacker can manipulate the hidden field to set the role to “administrator” or another higher privilege level.

Manipulating form data:

In some cases, a web application may use hidden fields to store data related to the form submission, such as the ID of a record in a database. If an attacker can manipulate these fields, they may be able to escalate their privileges by modifying or deleting records that they are not authorized to access.

For example, if a web application uses a hidden field to store the ID of a user record, an attacker can manipulate the field to set the ID to that of an administrator or another high-level user, and then submit the form to gain access to that user’s account.

Using automated tools:

Automated tools such as Burp Suite or OWASP ZAP can be used to manipulate hidden fields and other form data in web applications. These tools can be used to perform targeted attacks that aim to escalate privileges by manipulating hidden fields.

For example, an attacker can use a tool like Burp Suite to intercept and modify the values of hidden fields in a login form, allowing them to bypass authentication and gain access to an administrative account.

General methodology and checklist for Hidden Field Manipulation

Methodology:

  1. Identify hidden fields: Identify hidden fields in the web application that can be manipulated by an attacker. Hidden fields are typically used to store data related to the form submission, such as session IDs, user IDs, or prices.

  2. Determine the purpose of the hidden fields: Determine the purpose of the hidden fields and whether they are used for authentication, authorization, or data storage. This will help identify the potential impact of an HFM attack.

  3. Check for client-side validation: Check whether the web application uses client-side validation to verify the values of hidden fields. If the validation is only performed on the client-side, an attacker can easily bypass it by manipulating the values of hidden fields.

  4. Check for server-side validation: Check whether the web application performs server-side validation to verify the values of hidden fields. Server-side validation is more secure than client-side validation because an attacker cannot bypass it without gaining access to the server.

  5. Manipulate the hidden fields: Attempt to manipulate the values of hidden fields and submit the form to check whether the manipulation is successful. If the manipulation is successful, it indicates a vulnerability that can be exploited by an attacker.

  6. Test for privilege escalation: If an HFM vulnerability is identified, test whether it can be used for privilege escalation. Attempt to escalate privileges by manipulating the values of hidden fields to gain access to resources or perform unauthorized actions.

  7. Report and remediate: Report any HFM vulnerabilities to the developers and provide recommendations for remediation. Remediation measures may include implementing input validation and server-side verification, encrypting sensitive data stored in hidden fields, and limiting the use of hidden fields in the web application.

Checklist:

  1. Identify hidden fields in the web application.

  2. Determine the purpose of the hidden fields, such as whether they are used for authentication, authorization, or data storage.

  3. Check for client-side validation to verify the values of hidden fields.

  4. Check for server-side validation to verify the values of hidden fields.

  5. Manipulate the values of hidden fields and submit the form to check whether the manipulation is successful.

  6. Test for privilege escalation by attempting to escalate privileges through manipulation of hidden fields.

  7. Test whether the web application encrypts sensitive data stored in hidden fields.

  8. Test whether the web application limits the use of hidden fields and prevents excessive data storage in hidden fields.

  9. Test for other web application vulnerabilities that may be related to Hidden Field Manipulation, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), or SQL injection.

  10. Report any vulnerabilities to the developers and provide recommendations for remediation.

  11. Verify that the recommended remediation measures have been implemented and retest the web application for HFM vulnerabilities.

Tools set for exploiting Hidden Field Manipulation

Manual Tools:

  1. Burp Suite – A popular proxy tool used to intercept and modify HTTP/HTTPS traffic, including hidden fields. It allows manual testing and manipulation of hidden fields.

  2. Tamper Data – A Firefox extension that allows manual modification of data sent between the web browser and server, including hidden fields.

  3. Chrome Developer Tools – A built-in tool in the Google Chrome browser that allows manual inspection and modification of web page elements, including hidden fields.

  4. ZAP – An open-source web application security scanner that includes a proxy feature for manual testing and manipulation of hidden fields.

  5. Fiddler – A web debugging proxy tool that allows manual interception and modification of HTTP/HTTPS traffic, including hidden fields.

  6. OWASP Mantra – A browser-based security framework that includes various tools for manual web application testing, including hidden field manipulation.

  7. Firebug – A Firefox extension that allows manual inspection and modification of web page elements, including hidden fields.

Automated Tools:

  1. Acunetix – A web vulnerability scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  2. AppScan – A web application security testing tool that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  3. Nessus – A network vulnerability scanner that includes detection of Hidden Field Manipulation vulnerabilities.

  4. Netsparker – A web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  5. Nikto – A web server vulnerability scanner that includes detection of Hidden Field Manipulation vulnerabilities.

  6. WebInspect – A web application security testing tool that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  7. Arachni – A web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  8. Vega – An open-source web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  9. Skipfish – A web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  10. SQLMap – A tool for automated detection and exploitation of SQL injection vulnerabilities that can be used to detect and exploit Hidden Field Manipulation vulnerabilities.

  11. W3af – An open-source web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  12. Grendel Scan – An open-source web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  13. Qualys – A web application security testing tool that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  14. Vega – An open-source web application security scanner that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

  15. IronWASP – A web application security testing tool that includes detection and exploitation of Hidden Field Manipulation vulnerabilities.

Browser Plugins:

  1. Web Developer – A browser extension that allows inspection and modification of web page elements, including hidden fields.

  2. HackBar – A Firefox extension that provides various security testing tools, including the ability to manually manipulate hidden fields.

  3. Edit This Cookie – A browser extension that allows manual modification of cookies, which may contain hidden field values.

  4. XSS Me – A Firefox extension that allows detection and exploitation of Cross-Site Scripting (XSS) vulnerabilities, which may be related to Hidden Field Manipulation.

  5. HTTP Header Live – A browser extension that allows inspection and modification of HTTP headers, including those related to hidden fields.

Average CVSS score of stack Hidden Field Manipulation

The Common Vulnerability Scoring System (CVSS) is a framework used to assess the severity and impact of vulnerabilities. The CVSS score is a numerical value between 0 and 10, where a higher score indicates a more severe vulnerability.

The CVSS score of a specific vulnerability related to Hidden Field Manipulation may vary depending on the context, severity, and impact of the vulnerability. However, in general, Hidden Field Manipulation is considered a medium to high severity vulnerability, with a CVSS score range between 4.0 and 8.0.

The actual CVSS score of a Hidden Field Manipulation vulnerability may be influenced by factors such as the complexity of the attack, the impact on the application, the ease of exploitation, and the mitigating factors that can reduce the impact of the vulnerability.

Therefore, it is essential to perform a thorough vulnerability assessment and analysis of the specific context and impact of a Hidden Field Manipulation vulnerability to accurately determine its CVSS score.

The Common Weakness Enumeration (CWE)

• CWE-532: Insertion of Sensitive Information into Debugging Code – Hidden fields may contain sensitive information that can be exposed through debugging code.

• CWE-352: Cross-Site Request Forgery (CSRF) – Hidden fields can be manipulated to conduct CSRF attacks that allow an attacker to execute unauthorized actions on behalf of a user.

• CWE-200: Information Exposure – Hidden fields may contain sensitive information that can be exposed to unauthorized users or attackers.

• CWE-287: Improper Authentication – Hidden fields may be used in authentication mechanisms and can be manipulated to bypass authentication checks.

• CWE-434: Unrestricted Upload of File with Dangerous Type – Hidden fields can be manipulated to upload files with dangerous file types, such as executable files or scripts, that can compromise the application or the server.

• CWE-330: Use of Insufficiently Random Values – Hidden fields may contain values that are predictable or insufficiently random, making them vulnerable to brute-force attacks or other types of attacks.

• CWE-434: Unrestricted Upload of File with Dangerous Type – Hidden fields can be manipulated to upload files with dangerous file types, such as executable files or scripts, that can compromise the application or the server.

• CWE-613: Insufficient Session Expiration – Hidden fields can be used to maintain session information and may be vulnerable to session fixation attacks, allowing an attacker to hijack a user’s session.

• CWE-352: Cross-Site Request Forgery (CSRF) – Hidden fields can be manipulated to conduct CSRF attacks that allow an attacker to execute unauthorized actions on behalf of a user.

• CWE-749: Exposed Dangerous Method or Function – Hidden fields can be manipulated to trigger dangerous methods or functions, such as SQL injection or command injection, that can compromise the application or the server.

CVES related to Hidden Field Manipulation

• CVE-2002-2302 – 3D3.Com ShopFactory 5.5 through 5.8 allows remote attackers to modify the prices in their shopping carts by modifying the price in a hidden form field.

 Hidden Field Manipulation exploits

  • Cross-Site Request Forgery (CSRF) – attackers can manipulate hidden fields to submit unauthorized requests on behalf of an authenticated user to perform actions such as transferring funds, changing passwords, or deleting data.

  • Session Hijacking – attackers can manipulate hidden fields to gain access to an authenticated session by stealing the session ID.

  • SQL Injection – attackers can manipulate hidden fields to inject malicious SQL statements to access, modify, or delete data from the application’s database.

  • Command Injection – attackers can manipulate hidden fields to inject malicious commands to execute arbitrary code on the server.

  • File Upload Vulnerabilities – attackers can manipulate hidden fields to upload malicious files to the server, such as web shells or malware.

  • Information Disclosure – attackers can manipulate hidden fields to access sensitive information, such as passwords, credit card numbers, or personal data.

  • Account Takeover – attackers can manipulate hidden fields to take over an authenticated user’s account by changing the user’s password or email address.

  • Authentication Bypass – attackers can manipulate hidden fields to bypass authentication checks and gain access to the application or specific features without providing valid credentials.

  • Cross-Site Scripting (XSS) – attackers can manipulate hidden fields to inject malicious scripts that can execute in the context of the user’s browser and steal sensitive information or perform actions on behalf of the user.

  • Privilege Escalation – attackers can manipulate hidden fields to elevate their privileges on the application or server, allowing them to access sensitive data or perform unauthorized actions.

Practicing in test for Hidden Field Manipulation

Understand the application’s functionality and design – Before testing for Hidden Field Manipulation, it is important to have a clear understanding of the application’s purpose, features, and architecture. This will help you identify potential vulnerabilities and test them more effectively.

Identify input fields and parameters – Hidden fields are just one type of input field that can be vulnerable to manipulation. Identify all input fields and parameters that are used by the application and focus on testing them thoroughly.

Use automated testing tools – There are many automated testing tools available that can help you identify potential vulnerabilities related to Hidden Field Manipulation. These tools can help you scan the application for vulnerabilities quickly and efficiently.

Test for specific vulnerabilities – Once you have identified input fields and parameters, focus on testing for specific vulnerabilities related to Hidden Field Manipulation, such as CSRF, session hijacking, or SQL injection.

Try different values and inputs – When testing for Hidden Field Manipulation, try different values and inputs for input fields and parameters, including invalid or unexpected values. This can help you identify vulnerabilities that may not be apparent under normal conditions.

Test for edge cases and boundary values – In addition to testing for different values and inputs, test for edge cases and boundary values, such as maximum or minimum input lengths, to ensure that the application can handle these inputs properly.

Monitor traffic and behavior – Use traffic monitoring tools and browser extensions to monitor the application’s traffic and behavior during testing. This can help you identify suspicious or unexpected behavior that may indicate a vulnerability.

Test in different environments – Test the application in different environments, such as different browsers, operating systems, and devices, to ensure that it behaves consistently and securely across all platforms.

For study Hidden Field Manipulation

OWASP Top 10 – Hidden Field Manipulation is one of the vulnerabilities listed in the OWASP Top 10, which is a widely recognized document that outlines the most common web application security risks. The OWASP website provides in-depth information on this vulnerability and how to prevent it.

Web Application Hacker’s Handbook – This book is a comprehensive guide to web application security testing and includes a section on Hidden Field Manipulation. It provides detailed information on how this vulnerability can be exploited and how to test for it.

Online courses and tutorials – There are many online courses and tutorials available that cover web application security testing, including Hidden Field Manipulation. Some popular platforms for online learning include Udemy, Coursera, and Pluralsight.

Testing tools – There are many testing tools available that can help you test for Hidden Field Manipulation, including both open source and commercial options. Some popular testing tools include OWASP ZAP, Burp Suite, and Acunetix.

Practice websites and challenges – There are many websites and challenges available that allow you to practice testing for Hidden Field Manipulation in a safe and controlled environment. Some popular examples include OWASP Juice Shop and WebGoat.

Books with review of Hidden Field Manipulation

Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto – This book is a comprehensive guide to web application security testing and includes a section on Hidden Field Manipulation.

The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski – This book covers various web application security issues, including Hidden Field Manipulation.

Hacking Exposed Web Applications, 3rd Edition by Joel Scambray, Vincent Liu, and Caleb Sima – This book provides a detailed guide to web application security, including Hidden Field Manipulation.

Web Security Testing Cookbook: Over 100 hands-on recipes to help you master web security testing with Kali Linux by Paco Hope and Ben Walther – This book includes recipes and techniques for testing web application security, including Hidden Field Manipulation.

Hands-On Penetration Testing on Web Applications by Pranav Hivarekar – This book provides a hands-on approach to web application penetration testing, including testing for Hidden Field Manipulation.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz – This book provides an introduction to Python programming for security professionals and includes a section on web application security, including Hidden Field Manipulation.

Advanced Penetration Testing: Hacking the World’s Most Secure Networks by Wil Allsopp – This book provides an advanced guide to penetration testing, including web application security and Hidden Field Manipulation.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Allen Harper, Daniel Regalado, Ryan Linn, Stephen Sims, and Branko Spasojevic – This book covers various hacking techniques, including web application security and Hidden Field Manipulation.

Web Application Security, A Beginner’s Guide by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security and includes a section on Hidden Field Manipulation.

Cross-Site Scripting Attacks: XSS Exploits and Defense by Seth Fogie, Jeremiah Grossman, and Robert Hansen – This book covers various types of web application attacks, including Hidden Field Manipulation and cross-site scripting (XSS) attacks.

List of payloads Hidden Field Manipulation

  • Changing the value of a hidden input field to a higher or lower value than intended. Example: Changing the value of a hidden field that specifies the price of a product in an e-commerce website to a lower value, allowing the attacker to buy the product for less than the intended price.

  • Changing the value of a hidden input field to a different value than intended. Example: Changing the value of a hidden field that specifies the destination of a form submission to a different URL, causing the data to be submitted to a different website than intended.

  • Adding new hidden input fields to a form. Example: Adding a new hidden field that contains a value that can be used to exploit a vulnerability in the server-side code that processes the form.

  • Removing existing hidden input fields from a form. Example: Removing a hidden field that contains a security token used to prevent cross-site request forgery (CSRF) attacks, allowing an attacker to bypass this security measure.

  • Tampering with the values of hidden input fields using browser tools. Example: Using a browser extension or developer console to modify the values of hidden fields in real-time, allowing the attacker to manipulate the behavior of the web application.

How to be protected from Hidden Field Manipulation

  1. Use secure coding practices: Developers should follow secure coding practices, such as input validation and sanitization, to prevent malicious inputs from being processed by the web application.

  2. Use HTTPS: Using HTTPS to encrypt data in transit can help prevent an attacker from intercepting and modifying data sent between the client and server.

  3. Use anti-CSRF tokens: Implementing anti-CSRF tokens in web forms can help prevent attackers from submitting malicious data to the server by requiring a token that is only available to the client.

  4. Avoid relying solely on hidden input fields for security: Hidden input fields should not be relied on as the sole mechanism for implementing security measures, as they can be manipulated by attackers.

  5. Implement server-side validation: Implement server-side validation to verify that data submitted by the client is valid and within expected parameters, regardless of what is submitted in hidden fields.

  6. Regularly update and patch software: Keeping web server software up to date with the latest security patches can help prevent attackers from exploiting known vulnerabilities.

  7. Use web application firewalls (WAFs): Implementing a WAF can help detect and block attacks, including Hidden Field Manipulation attacks.

Mitigations for Hidden Field Manipulation

  1. Use server-side validation: Implement server-side validation to check the values submitted by the client, regardless of what is submitted in hidden fields.

  2. Use anti-CSRF tokens: Implement anti-CSRF tokens in web forms to prevent attackers from submitting malicious data to the server.

  3. Use HTTPS: Use HTTPS to encrypt data in transit to prevent attackers from intercepting and modifying data sent between the client and server.

  4. Use a Content Security Policy (CSP): A CSP can help prevent XSS attacks and can be configured to block the execution of malicious scripts injected via Hidden Field Manipulation.

  5. Use a web application firewall (WAF): Implementing a WAF can help detect and block Hidden Field Manipulation attacks, as well as other types of web application attacks.

  6. Don’t rely solely on hidden input fields for security: Hidden input fields should not be relied on as the sole mechanism for implementing security measures, as they can be manipulated by attackers.

  7. Implement input validation and sanitization: Developers should implement input validation and sanitization to prevent malicious inputs from being processed by the web application.

  8. Keep software up to date: Keeping web server software up to date with the latest security patches can help prevent attackers from exploiting known vulnerabilities.

Conclusion

Hidden Field Manipulation is a type of web application attack that involves manipulating the values of hidden input fields in order to bypass client-side validation and submit malicious data to the server. This can lead to a range of attacks, including CSRF and XSS attacks.

To mitigate Hidden Field Manipulation attacks, developers should implement server-side validation, anti-CSRF tokens, HTTPS, a Content Security Policy, a web application firewall, input validation and sanitization, and keep their software up to date with the latest security patches.

It is important for web application developers to be aware of the risks associated with Hidden Field Manipulation and to implement the necessary measures to protect against such attacks. Additionally, regular security testing and auditing can help identify and mitigate any vulnerabilities that may exist in the web application.

Other Services

Ready to secure?

Let's get in touch