Skip to content Skip to sidebar Skip to footer

Could A Malicious Hacker Alter A Hidden Post Variable

I know that a POST can be spoofed in terms of originating domain, but what about being able to change the variables of the hidden POST variables in my HTML? I am concerned that som

Solution 1:

Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.

Web security rule #1: Never trust any user input. Also stated as "All users are malicious hackers" or some variant thereof.

answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price. Just use the same value you used to populate the form in the first place.

Solution 2:

Update 2020:

OWASP covers this topic in "Injection Theory", where applications accept data from untrusted, uncontrolled, or potentially compromised sources.

Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter.

Review this OWASP "cheatsheet" for an overview of mitigations that can be implemented to better secure REST based endpoints.


Yes, it is very simple to do with browser inspector tools, JavaScript, cURL and other tools.


You shouldn't rely on the amount field being what you'd initially transmitted in the response to the client. A more secure approach would be to rely on an identifier for an item, which you can map to a price on the server (a more controlled environment).

Solution 3:

Yes, it is possible to change that value using javascript. If you haven't practice in using javascript, you can also do the test using Google Chrome's Developer Tools.

Infact this is one of the main reason to don't rely on user input.

Solution 4:

Forget javascript and browser tools. Please realize that I can send ANY cookie, POST and GET argument (key and value pairs) I want, regardless of whether this is a form for them. (See cURL)

Frank said "At the store, you would very rarely see clients fill their shopping carts, and then tell the cashier how much they have to pay."

Try to think of it like that. The browser (not user) is the client and the server is the cashier. Any information that flows from the browser to the server can be anything I want.

Solution 5:

Yes. It gets worse because they don't even have to alter your page to do it. A user could use any text editor to construct an html page with a form full of text boxes, load it from local disk, fill them with whatever they want and hit submit. OTOH, that will show up in some header values.

Or if they are really determined, that can connect to port 80 on your server via telnet and forge the entire HTTP request including headers.

There is not a single byte of the incoming request that you can trust.

That said, there are known solutions to these problems that are generally implemented in terms of hashes, signatures and cryptography, but I don't know enough to suggest where to look for them.

Post a Comment for "Could A Malicious Hacker Alter A Hidden Post Variable"