Is it safe to leave crucial information in an Hidden input in HTML?

Asked

Viewed 284 times

4

I can leave, for example, the ID of a user q I will do select in the hidden, and use it (the id) without having to confirm that that ID belongs to the logged in user? In other words, the user can change the input hidden?

  • 1

    Yes. No console can be changed and there is a developer tool in the browser.

  • Even disabled or read only information? I’ve always known about Texts

  • Not safe. By the console do $("input[type=hidden]").each(function() {
 Console.log("Valor do hidden: " + $(this).val());
}); That you take the values of all Hidden input on the page.

  • 4

    Any client information can be changed, the safest is to always validate on the server: https://answall.com/q/13298/112052

  • Interesting. As for the validation, is it better in the front end or back end? In this example q dei, for having q query, will have q be backend. However it made me think of this situation: A q form needs to be validated. The programmer, before submitting the form, validates everything in javascript, leaving all inputs validated and puts a code to submit the form via javascript. If the malicious user can "pause" the browser right after validation, re-change inputs and "pause" before submitting, he would have a problem. Or am I dreaming too much? It is possible to "pause" the browser?

  • Answer me something the guy’s gonna do with a number?

  • 2

    The JS validation is a help to avoid sending information that you know is wrong, and thus minimize the weight on the server. But nobody tells you you don’t get wrong information even with that validation. So if you want to make sure you’re right, you have to validate on the server. Remember that even in the browser I can turn off javascript completely and send the wrong information. I can even open a program to make http requests (like Fiddler2 or Postman) and request the right URI with data that makes no sense and break your application

  • Did any of the answers solve your question? Do you think you can accept one of them? Check out the [tour] how to do this, if you haven’t already. You would help the community by identifying what was the best solution for you. You can accept only one of them. But you can vote on any question or answer you find useful on the entire site

Show 3 more comments

2 answers

4

Everything in the customer’s machine is manipulable. Everything you receive from outside your server is unreliable. If your server is not absolutely safe and your code cannot be trusted (an absurd amount of servers are invaded for months or years and people do not know why they think it is easy to mess with it and that the invasion will be apparent, the good invaders do not let you realize).

If your system depends on quality information coming from outside to work it is very wrong. No one even needs your page to send inappropriate things to your server, and whatever it may ask for and you decide to deliver it will have access.

The only thing the element hidden of the form does not show the information on the screen, but it is there extremely freely, but as said above, it does not even matter if it is hidden or not, just have you released the information somehow it is available.

Your vision is completely wrong, you don’t need a navigator to do any of this. Invasions are done because there are people who understand how technology works and there are so many millions who don’t understand and leave everything vulnerable. People think they can make websites that are functional and secure just by writing a few codes. The amount of knowledge needed is enormous and deeper than coding something.

The id is confidential information? I doubt, but if it is can not pass it to anyone. If your system depends on the secrecy of the id your application must have something very wrong.

If your system lets outside people do something they shouldn’t just because they know the id Your system is very wrong. Who gives security to your system is you coding properly and understanding all kinds of attacks that can be made. Will you confirm what? If you don’t have a reliable authentication and authorization system, you don’t have anything to confirm.

An example, about 80 or 90% of the codes that people post here that have a query suffer from SQL Injection, we (some of us, others don’t even care) teach right and the person keeps doing wrong. Most people haven’t even heard the term that’s just the most obvious kind of attack.

-1

well... if this ID is considered confidential information, the correct is not to manipulate it through elements in HTML, since it can be found when trying to inspect the page. If you are a more experienced user who knows about browser devtools, yes, he will be able to change the Hidden input. The correct thing would be to manipulate this information through the server or even Javascript, without associating exactly to an HTML input. Another solution would be to put as a parameter in the url (if it is not confidential information, of course).

Browser other questions tagged

You are not signed in. Login or sign up in order to post.