HTML5 : Hidden HTML field

Classification

OWASP Top 10 2013

A5-Security Misconfiguration

HIPAA

§164.312 (e)(1)

CWE

CWE-472

Overview

The application uses a hidden field.

<input> elements of type hidden let web developers include data that cannot be seen or modified by users when a form is submitted.

The developer could assume that users would not see the hidden field and would not be able to manipulate the data transferred through it. It is not so: attackers can transfer data, including malicious data, to hidden fields.

A hidden field must not be used to transfer valuable information. Its contents are cached by the browser, which can lead to data confidentiality loss.

References

CWE-472: External Control of Assumed-Immutable Web Parameter
OWASP Top 10 2013-A6-Sensitive Data Exposure
input type=“hidden”
CWE CATEGORY: OWASP Top Ten 2017 Category A5 - Broken Access Control

LOW

HTML5 : Hidden HTML field

Classification

Overview

References

DerScanner Severity Score

Do you want to fix HTML5 : Hidden HTML field in your application?

See also

HTML5 : Missing required cryptographic step

HTML5 : Weak hashing algorithm

HTML5 : Cross-site request forgery (CSRF)