December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Recipe 3-4: Adding Fake Hidden Form Fields
This recipe shows you how to add fake hidden form field data to existing forms and alert if the data is ever manipulated.
Ingredients
- ModSecurity Reference Manual4
- SecStreamOutBodyInspection directive
- SecContentInjection directive
- STREAM_OUTPUT_BODY variable
- @rsub operator
Hidden Form Fields
HTML hidden form fields are just like normal form fields, except for one distinct difference: The browser doesn’t display them to the user. Hidden fields are used as a mechanism to pass data from one request to another, and their contents are not supposed to be altered. Web developers often mistakenly believe that hidden parameter data cannot be manipulated, but this is not the case. The browser does hide these form fields, but the client still can access the data. He can either view the source or use a browser plug-in. Figure 3-7 shows an example of using the Groundspeed plug-in for the Firefox browser to view hidden form fields on the Twitter login page.
The main benefit of the Groundspeed plug-in is that you can correlate a page’s raw HTML elements to the actual user interface. Figure 3-7 shows a hidden form field named context with a value of front within the Sign Up form.
This is how the raw HTML hidden form field looks in the source:
<input type="hidden" value="front" name="context">Figure 3-7: Hidden form fields on Twitter’s login page
When the user clicks the ”Sign up for Twitter” button, the hidden form field data is sent, ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.