跨站点脚本-隐藏表单字段 [英] Cross Site Scripting - Hidden Form Fields

问题描述

我的应用程序正在接受渗透测试.

My application is being penetration tested.

被标记的XSS项之一是Im使用隐藏的表单字段在浏览器/搜索屏幕中存储记录id，然后使用id打开完整记录. (通过帖子)

One of the XSS items being flagged is that Im using a hidden form field to store a record id in a browser/search screen then using id this to open the full record. (via a post)

我正在努力查看这是一种XSS攻击.我想念什么吗?

I'm struggling to see how this is an XSS attack. Am I missing something?

推荐答案

如果提交的表单的值更改了，会发生什么?

What happens if the form is submitted with that value changed?

公开实际的数据库ID可能会导致访问数据库中属于另一个用户的行的风险.

Exposing an actual database id risks allowing access to rows in your DB that belong to another user.

如果要公开数据库ID并在SQL查询中使用它，则应确保SQL查询对该ID使用绑定变量(或正确地对其进行转义，但绑定变量更好)，并进行业务规则检查以确保与ID对应的行实际上应该对当前应用程序用户可见.

If you are exposing a database id and using it in a SQL query, you should ensure that the SQL query uses a bind variable for that id (or properly escapes it, but bind variables are better) and do business rule checks to make sure the row corresponding to the id actually should be visible to the current application user.

这实际上不是XSS问题，但绝对是安全问题.

This isn't really an XSS issue, but it's definitely a security issue.

这篇关于跨站点脚本-隐藏表单字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！