 
                            HTML allows fields in a web form to be visible or hidden. Hidden fields supply values to a web server , but do not provide the user with a mechanism to modify their contents. However, there are techniques that attackers can use to modify these contents anyway. A web servlet that uses a GET form to obtain parameters can also accept these parameters through a URL. URLs allow a user to specify any parameter names and values in the web request.  ThereforeConsequently, hidden form fields should not be considered any more trustworthy than visible form fields.
Noncompliant Code Example
The following servlet noncompliant code example demonstrates a servlet that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser, but the hidden field is not.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| public class SampleServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");
    String visible = request.getParameter("visible");
    String hidden = request.getParameter("hidden");
    if (visible != null || hidden != null) {
      out.println("Visible Parameter:");
      out.println( sanitize( visible));
      out.println("<br>Hidden Parameter:");
      out.println(hidden);
    } else {
      out.println("<p>");
      out.print("<form action=\"");
      out.print("SampleServlet\" ");
      out.println("method=POST>");
      out.println("Parameter:");
      out.println("<input type=text size=20 name=visible>");
      out.println("<br>");
      out.println("<input type=hidden name=hidden value=\'a benign value\'>");
      out.println("<input type=submit>");
      out.println("</form>");
    }
  }
  public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    doGet(request, response);
  }
  // Filter the specified message string for characters
  // that are sensitive in HTML. 
  public static String sanitize(String message) {
    // ...
  }
}
 | 
...
Visible Parameter: dummy
Hidden Parameter: Surprise!!!
Compliant Solution
This compliant solution applies the same sanitiation sanitization to the hidden parameter as is applied to the visible parameter:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| public class SampleServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");
    String visible = request.getParameter("visible");
    String hidden = request.getParameter("hidden");
    if (visible != null || hidden != null) {
      out.println("Visible Parameter:");
      out.println( sanitize( visible));
      out.println("<br>Hidden Parameter:");
      out.println( sanitize(hidden));          // hiddenHidden variable sanitized
    } else {
      out.println("<p>");
      out.print("<form action=\"");
      out.print("SampleServlet\" ");
      out.println("method=POST>");
      out.println("Parameter:");
      out.println("<input type=text size=20 name=visible>");
      out.println("<br>");
      out.println("<input type=hidden name=hidden value=\'a benign value\'>");
      out.println("<input type=submit>");
      out.println("</form>");
    }
  }
  public void doPost(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    doGet(request, response);
  }
  // Filter the specified message string for characters
  // that are sensitive in HTML. 
  public static String sanitize(String message) {
    // ...
  }
} | 
Consequently, when the malicious URL is entered into a browser, the servlet produces the following:
Visible Parameter: dummy
Hidden Parameter: <font color=red>Surprise</font>!!!
...
Trusting the contents of hidden form fields may lead to all sorts of nasty thingsproblems.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| IDS14-J | High | Probable | High | P6 | L2 | 
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework | 
 | Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| CodeSonar | 
 | JAVA.IO.INJ.CODE | Code Injection (Java) | ||||||
| Fortify | 6.10.0120 | Hidden_Field | Implemented | 
Bibliography
...
...