html input hidden field poor usage can lead to major Web vulnerability

E-commarce, Online Premuium Service providers and many others uses payment medium to get the payment using CC,Net Banking etc. Payment Gateways are the Integration layer between the web application and the Banking service layer. These gateways are mostly the loosely coupled,third party source code provided by the authorized Payment Gateway Providers. Ex of Payment gateways are paypal,authorize,securepay.

Once i found a serious issue on all the applications of a matrimonial website. The payment medium was suffering from CSRF that was leading to access to their premium services for free. I contacted the organization regarding the same and reported the issue upfront. Although I wasn’t expecting any thing much in return but being a very good startup , they should have given something for the the issue that may have lead to a serious loss to them. Those greedy , smart executives pulled out all the Bug information from me and called me cya in the end. 😛

On the similar line , the demo issue is explained below.

The web application when redirecting to payment gateway with the data like amount,id’s etc should be validated and authorized against the data tampering.

Poorly written web application can suffer from Get,Post Parameter Tampering that may lead to unexpected results.
Still many programmers use HTML hidden fields to store information. Though it may be the fastest and easy way to transmit date from client to server but it can go vulnerable if the hidden fields stores data and the same date is not validated against tampering. Ex. Cart says 4000 US $ and the payment Medium says 1 US $. This can happen if the cart amount is stored in the hidden form fields.

Below is a sample vulnerable HTML/PHP code

Below is the sample Server side PHP code handling the POST data poorly.

Below is the HTTP Request/Response for a valid/non tampered request. Amount is 4000 as you can see in the request.

Below is the HTTP Request/Response for the tampered Request. You can see the amount is 10 and not 4000. HTTP tampering can be done using many utilities like web developer browser addons,tamper data addon,Burpsuite etc.

Due to lack of coding standard and server side validation, the tampered HTTP request was entertained by the server and processed to success as well.

HTML Hidden field should never be used for storing sensitive data and they are inside form and can be tampered.

Demo Link also available
Demo Vulnerable http tampering
Demo secure application against Http Tampering

How to secure ?

Multiple ways!

1. Using Public Private Key sharing functionality like OpenSSL.

  • Firstly generating the public , private keys using any SSL app.
  • Sharing the public key with the Payment Gateway server.
  • Putting the private key on the Web Server.
  • Downloading the Payment Gateway Certificate and storing it on the Webserver so as to make the authentication.
  • Having a check for unsigned/unencrypted request on the Payment Gateway source code integrated with the Web Application.
  • This way the client details can never be tampered as the communication medium in encrypted.

    2. Easy way is to eliminate all the hidden fields with sensitive data and putting the id as an identification parameter for the object.

    http hidden can be used a tracking functionality. Server side code needs to know about the id of the object and can pull out the price against the id. This way the amount can never be tampered.

    Example code:

    3.Another way is to go for functionality similar to Paypal’s Instant Payment Notification (IPN) which track the purchase and other communications on the real time.

    Wiki link for more details.Wiki

    Attached are the sample applications to demonstrate the vulnerable web application and secure application.

    Vulnerable WebApp Http Tampering

    Secure App against HTTP Tampering

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Blue Captcha Image