in reply to Modiying values in html form
Greetings,
In my humble opinion. It is best to use only the POST method within such forms, and simply drop
attempts submitted via GET. This greatly eliminates common methods to alter submissions via the
URL/Location field(s) in their web client (browser). eg;
http:/your.domain/location/to/your/script?product=expensive-product&price=free
While hidden fields aren't really hidden, should anyone simply choose View->Source, from their browser. It is fairly trivial to encode those fields via base64, or even sha256. All modern browsers will render those fields correctly. But a View->Source will reveal only seeming gibberish. While a savvy seasoned programmer/user might recognize the fields as being "packed". Is it really worth the bother?
Anyway. While it isn't ever really possible to completely secure online form(s)/form data. Things like this, that "raise the bar to entry" will usually thwart most attempts. If for no other reason being, that it simply doesn't seem worth the bother.
HTH
--Chris
http:/your.domain/location/to/your/script?product=expensive-product&price=free
While hidden fields aren't really hidden, should anyone simply choose View->Source, from their browser. It is fairly trivial to encode those fields via base64, or even sha256. All modern browsers will render those fields correctly. But a View->Source will reveal only seeming gibberish. While a savvy seasoned programmer/user might recognize the fields as being "packed". Is it really worth the bother?
Anyway. While it isn't ever really possible to completely secure online form(s)/form data. Things like this, that "raise the bar to entry" will usually thwart most attempts. If for no other reason being, that it simply doesn't seem worth the bother.
HTH
--Chris
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Modiying values in html form
by GrandFather (Saint) on Nov 03, 2013 at 10:03 UTC | |
Re: Modiying values in html form
by rnewsham (Curate) on Nov 03, 2013 at 08:33 UTC | |
Re: Re: Modiying values in html form (OWASP)
by Anonymous Monk on Nov 03, 2013 at 09:33 UTC | |
by taint (Chaplain) on Nov 04, 2013 at 18:43 UTC | |
by Anonymous Monk on Nov 05, 2013 at 00:11 UTC | |
Re: Modiying values in html form
by Anonymous Monk on Nov 03, 2013 at 18:32 UTC |
In Section
Seekers of Perl Wisdom