Securing HTML Forms

I'll admit that I sometimes use hidden form fields in my web applications. I cringe every time I do, but I do it anyway. They're convenient and make it easy to track some elements in a web application.

The problem with hidden form fields is that users can manipulate them. This is done by simply saving the web page to disk, modifying the code, then opening the page on disk in a web browser and submitting the form. This is dangerous and can cause severe problems. Hence, securing forms is essential. This is how I do it:

In ColdFusion, when a user browses a web site, the CGI variables get set at each request. One of these variables is called CGI.HTTP_REFERER (somebody writing the http standard spelled "referrer" wrong, see < a href="http://dictionary.reference.com/browse/referer" target="_blank">Dictionary.com definition). The value of which is the page that "referred" the user to their current page (see more info on Wikipedia. So, when you submit a html form to another web page (usually for processing the form fields), the value http_referer will be the web page that contained the form. That page "referred" you to the page that processes the form.

OK. So, if someone downloads your web page, changes the form code, and then submits it, what is the value of CGI.HTTP_REFERER? Take a look:

Its blank. This is simply because http_referrer was not sent. So, what if someone downloads your web page, changes the form code, uploads it to their web site, and then submits it?

Its the value of the web site where it was submitted from, or the referrer of the form.

How do I prevent people from downloading my forms and submit them from somewhere other than my web site domain? Well, you check to make sure cgi.http_referer is from the domain where your web site is located.

BUT WAIT!

Web users can spoof the http_referrer! Thus, with the right tools, you can change it to whatever value you wish. The Firefox add-on RefControl does just that. The RefControl options let you specify custom referrers for specific web sites:

Now every time I make a request to www.go-dss.com my referrer will be the one specified. Using this tool anyone can change the value of hidden fields and submit them without being detected. Especially if you're only using http_referer to check where a form was submitted.

Securing Forms

If you use hidden fields in a html form as a way to track any type of information, you must realize that it is vulnerable, it can be changed, and with the prevalence of hackers and hacking technologies, it will likely be cracked.

Here are some suggestions to prevent hacking of hidden fields:

1) Don't use hidden fields. 2) Use session variables instead. 3) Use the form field names to determine what type (topic) of form is being submitted. 4) IMPORTANT: Validate the data prior to usage! Always, always, always validate! 5) Use in ColdFusion queries. Especially when using form data in update and insert queries.

In summary... avoid using hidden form fields.