ABSTRACT

The program creates a hidden form field.

EXPLANATION

Programmers often trust the contents of hidden fields, expecting that users will not be able to view them or manipulate their contents. Attackers will violate these assumptions. They will examine the values written to hidden fields and alter them or replace the contents with attack data.



Example:


HtmlInputHidden hidden = new HtmlInputHidden();


If hidden fields carry sensitive information, this information will be cached the same way the rest of the page is cached. This can lead to sensitive information being tucked away in the browser cache without the user's knowledge.

REFERENCES

[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3610 CAT I

[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 472, CWE ID 642

[3] Input Validation and Representation Fortify, An HP Company

[4] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 642