HTTP-based Vulnerabilities

Introduction to HTTP and HTML vulnerabilities

Web applications are commonly targeted by cybercriminals. The combination of public exposure and potential access to sensitive data makes them easily accessible and provides a reasonable expectation of payoff for a successful attack. As a result, ensuring that they do not contain common vulnerabilities such as cross-site scripting (XSS) and SQL injection is a must.

However, the vulnerabilities that appear on the OWASP Top Ten list are not the only potential threats to web application security. Improper use of HTTP and HTML can also make a website vulnerable to exploitation.

Common abuses of HTTP and HTML

The HTTP and HTML standards grant developers a lot of flexibility and useful tools for developing their web applications. However, these tools can also be used in clever ways that jeopardize the security of the application and its users. Some examples of common misuses of HTTP and HTML features include hidden form fields, magic URLs and predictable cookies.

Hidden form fields

The HTML standard gives developers the ability to label certain fields or objects on a web page as hidden. When opening the page in the web browser, anything marked as hidden will not be visible to the user. As a result, it can be tempting to use hidden fields to carry important data, making it unnecessary to store this state information on the server.

The code sample above uses this technique for a simple web order form. Instead of managing the pricing information on the server side, it is stored in a hidden field. This makes it simpler to handle pricing information that may vary from user to user.

The problem with this approach is that hidden fields within a webpage are still visible in the page’s source code, which is available to and editable by (Read more...)