SIN 4USE OF MAGIC URLS, PREDICTABLE COOKIES, AND HIDDEN FORM FIELDS
OVERVIEW OF THE SIN
Imagine going to a web site to buy a car at any price you want! This could happen if the web site uses data from a web hidden form to determine the car price. Remember, there’s nothing stopping a user from looking at the source content, and then sending an “updated” form with a massively reduced price (using Perl, for example) back to the server. Hidden fields are not really hidden.
Another common problem is “Magic URLs”: many web-based applications carry authentication information or other important data in URLs. In some cases, this data should not be made public, because it can be used to hijack or manipulate a session. In other cases, Magic URLs are used ...
Get 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.