Thursday, April 5, 2018

Exploiting Hidden Fields


- Layout for this exercise:

- Working with OWASP WebGoat  v5.4:

1 - Hidden Fields

- The hidden HTML attribute for a field specifies that the field and its value won't be shown to the user.

- For instance, the next HTML snippet code processes both the fname and the country fields, but the user can see only the first one, because the second one is of type="hidden":

- The input was received by the server as:

- In other words, the hidden fields are not shown, but when the form is submitted the hidden field is still sent with it.

- The purpose of a hidden field is to submit information that is not entered by the visitor.

2 - Exploiting Hidden Fields

- In this scenario we have a Shopping Cart web form, where an HDTV can be purchased by $2999.9:

- The goal of the exercise would be to alter the hidden field Price to purchase the HDTV at a lot cheaper price.

- Let's notice that the hidden field Price is out of the reach of the customer, and only the Quantity input field can be entered by him.

- Going to Purchase and right clicking into Inspect Element:

- The first alteration would be to eliminate the onclick="validate()" event: 

- Secondly, the hidden field Price has a value of 2999.99, and it can be replaced with a more affordable price:

- Now, when clicking Purchase the web form processes the HDTV purchase at a price of $0.99: