这些隐藏字段的使用不安全吗? [英] Are these uses of hidden fields insecure?
问题描述
我正在增强一个遗留系统(我没有帮助构建),并且想从其他人那里找出我注意到的某些事情是否是合法的安全问题.
I'm enhancing a legacy system (which I didn't help to build) and would like to find out from other people if some things that I've noticed are legitimate security issues or not.
首先,应用程序通过登录获得保护.但是,一旦用户登录,整个应用程序将有 11 个页面,其中隐藏字段存储文件名的值以及下载路径.
First of all, the application is secured via a login. However, once a user is logged in, throughout the application there are 11 pages in which a hidden field stores the value of a file name as well as the path to download.
Javascript 用于自动提交表单,然后用户下载文件并将其保存到他或她的计算机上.我认为这个值可能会改变,用户会在不知不觉中下载恶意文件.
Javascript is used to automatically submit the form and the user then downloads and saves the file to his or her computer. I'm thinking that this value could be changed and the user would unknowingly download a malicious file.
此外,有许多页面将引用页面保存在隐藏字段中,以便用户可以在保存表单时返回上一页.如果这些都是合法的问题,那又如何呢?如果可能的话,他们将如何受到攻击?风险或潜在影响的程度如何?我问的原因是,如果是这样,我可以提出需要修复应用程序的情况.仅仅说这不是最佳做法"还不够充分.
Also, there's numerous pages that have the referring page saved in a hidden field so that the user can return to the previous page when a form is saved. If these are legitimate issues, how so? How would they be attacked, if that were possible? What's the level of risk or potential impact? The reason I ask is so that I can put forward the case that the application would need to be fixed, if so. Just saying that "this isn't a best practice" is just not a good enough reason.
感谢您的反馈!
推荐答案
很可能不安全.隐藏的表单字段是一个实现细节.
Very likely insecure. Hidden form fields are an implementation nicety.
具体来说,您不能依赖于发送回服务器的表单字段的值与原始 HTML 呈现的值相同.
如果服务器实施了诸如输入清理、校验和、散列、加密等对策,则使用可能会更安全一些.例如,ASP.NET 使用 ViewState 做到这一点.
If the server implements countermeasures such as sanitization of inputs, checksums, hashing, encryption, etc., the usage may be somewhat more secure. ASP.NET does this with ViewState, for instance.
说...
想看看它有多不安全吗?使用 Chrome 或 Firefox 开发人员工具将隐藏字段的输入类型属性之一从隐藏"更改为文本",然后观察文本字段的显示(您可以在其中更改它并提交您喜欢的任何值).
Want to see how insecure it is? Change one of the hidden field's input type attribute from "hidden" to "text" using Chrome or Firefox developer tools, and watch the text field appear (where you can change it and submit whatever value you like).
我还强烈建议阅读 Matt 在他的回答中关于潜在风险分析的观点.
I'd also highly recommend reading Matt's points on potential risk analysis in his answer.
这篇关于这些隐藏字段的使用不安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
