Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

HTML allows fields in a web form to be visible or hidden. Hidden fields supply values to a web server , but do not provide the user with a mechanism to modify their contents. However, there are techniques that attackers can use to modify these contents anyway. A web servlet that uses a GET form to obtain parameters can also accept these parameters through a URL. URLs allow a user to specify any parameter names and values in the web request.  ThereforeConsequently, hidden form fields should not be considered any more trustworthy than visible form fields.

Noncompliant Code Example

The following servlet noncompliant code example demonstrates a servlet that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser, but the hidden field is not.

Code Block
bgColor#ffcccc
langjava
public class SampleServlet extends HttpServlet {

  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");

    String visible = request.getParameter("visible");
    String hidden = request.getParameter("hidden");

    if (visible != null || hidden != null) {
      out.println("Visible Parameter:");
      out.println( sanitize( visible));
      out.println("<br>Hidden Parameter:");
      out.println(hidden);
    } else {
      out.println("<p>");
      out.print("<form action=\"");
      out.print("SampleServlet\" ");
      out.println("method=POST>");
      out.println("Parameter:");
      out.println("<input type=text size=20 name=visible>");
      out.println("<br>");

      out.println("<input type=hidden name=hidden value=\'a benign value\'>");
      out.println("<input type=submit>");
      out.println("</form>");
    }
  }

  /**
public void doPost(HttpServletRequest *request, FilterHttpServletResponse theresponse)
 specified message string forthrows charactersIOException, thatServletException are sensitive{
   * in HTML. This avoids potential attacks caused by including JavaScript
   * codes in the request URL that is often reported in error messages.
   *
   * @param message The message string to be filtered
   */
  public static String sanitize(String message) {

    if (message == null) {
      return null;
    }
    char content[] = new char[message.length()];
    message.getChars(0, message.length(), content, 0);
    StringBuilder result = new StringBuilder(content.length + 50);
    for (int i = 0; i < content.length; i++doGet(request, response);
  }

  // Filter the specified message string for characters
  // that are sensitive in HTML. 
  public static String sanitize(String message) {
    // ...
  }
}

When fed the parameter param1, the web page displays the following:

Visible Parameter: param1
Hidden Parameter: a benign value

However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:

http://localhost:8080/sample/SampleServlet?visible=dummy&hidden=%3Cfont%20color=red%3ESurprise%3C/font%3E!!!

When this URL is provided to the browser, the browser displays:

Visible Parameter: dummy
Hidden Parameter: Surprise!!!

Compliant Solution

This compliant solution applies the same sanitization to the hidden parameter as is applied to the visible parameter:

Code Block
bgColor#ccccff
langjava
public class SampleServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html>");

    String visible = request.getParameter("visible");
    String hidden = request.getParameter("hidden");

    if (visible != null || hidden != null) {
      switch (content[i]) {out.println("Visible Parameter:");
      case '<':out.println( sanitize(visible));
        resultout.appendprintln("&lt;<br>Hidden Parameter:");
      out.println( sanitize(hidden));     break;
     // case '>':
  Hidden variable sanitized
    } else {
      resultout.appendprintln("&gt;<p>");
        breakout.print("<form action=\"");
      case '&':out.print("SampleServlet\" ");
        resultout.appendprintln("&amp;method=POST>");
      out.println("Parameter:");
  break;
    out.println("<input  case '"':type=text size=20 name=visible>");
        resultout.appendprintln("&quot;<br>");

      out.println("<input type=hidden name=hidden  breakvalue=\'a benign value\'>");
      default: out.println("<input type=submit>");
        resultout.append(content[i]println("</form>");
      }
    }

  public void return result.toString();
  }
}

When fed the parameter param1, the web page displays the following:

Visible Parameter: param1
Hidden Parameter: a benign value

However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:

http://localhost:8080/sample/SampleServlet?visible=dummy&hidden=%3Cfont%20color=red%3ESurprise%3C/font%3E!!!

When this URL is provided to the browser, the browser displays:

Visible Parameter: dummy
Hidden Parameter: Surprise!!!

Compliant Solution

This compliant solution applies the same sanitiation to the hidden parameter as is applied to the visible parameter:

Code Block
bgColor#ccccff
langjava
...
    if (visible != null || hidden != null) doPost(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {
      out.println("Visible Parameter:"doGet(request, response);
  }

  //  out.println(sanitize(visible));Filter the specified message string for characters
  // that are sensitive in outHTML.println("<br>Hidden Parameter:");
  public static String  out.println(sanitize(hidden));String message) {
    } else {
// ...
  }
}

Consequently, when the malicious URL is entered into a browser, the servlet produces the following:

Visible Parameter: dummy
Hidden Parameter: <font color=red>Surprise</font>!!!

...

Trusting the contents of hidden form fields may lead to all sorts of nasty thingsproblems.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS14-J

High

Probable

High

P6

L2

Automated Detection

...

Tool
Version
Checker
Description
The Checker Framework

Include Page
The Checker Framework_V
The Checker Framework_V

Tainting CheckerTrust and security errors (see Chapter 8)
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.INJ.CODE
JAVA.IO.INJ.COMMAND
JAVA.IO.INJ.XSS
JAVA.IO.INJ.DLL
JAVA.IO.INJ.DENIAL
JAVA.IO.TAINT.REFLECTION
JAVA.IO.INJ.SQL
JAVA.IO.TAINT.TRUSTED
JAVA.IO.TAINT.BUNDLE
JAVA.IO.TAINT.CONTROL
JAVA.IO.TAINT.EVAL
JAVA.IO.TAINT.HTTP
JAVA.IO.TAINT.DEVICE
JAVA.IO.TAINT.LDAP.ATTR
JAVA.IO.TAINT.LDAP.FILTER
JAVA.IO.TAINT.LOG
JAVA.IO.TAINT.MESSAGE
JAVA.IO.TAINT.ADDR
JAVA.IO.TAINT.PATH
JAVA.IO.TAINT.REGEX
JAVA.IO.TAINT.RESOURCE
JAVA.IO.TAINT.SESSION
JAVA.IO.TAINT.URL
JAVA.IO.TAINT.XAML
JAVA.IO.TAINT.XML
JAVA.IO.TAINT.XPATH
JAVA.IO.INJ.XSS.EMWP

Code Injection (Java)
Command Injection (Java)
Cross Site Scripting (Java)
DLL Injection (Java)
DOS Injection (Java)
Reflection Injection (Java)
SQL Injection (Java)
Tainted @Trusted Value (Java)
Tainted Bundle (Java)
Tainted Control (Java)
Tainted Expression Evaluation (Java)
Tainted HTTP Response (Java)
Tainted Hardware Device Property (Java)
Tainted LDAP Attribute (Java)
Tainted LDAP Filter (Java)
Tainted Log (Java)
Tainted Message (Java)
Tainted Network Address (Java)
Tainted Path (Java)
Tainted Regular Expression (Java)
Tainted Resource (Java)
Tainted Session (Java)
Tainted URL (Java)
Tainted XAML (Java)
Tainted XML (Java)
Tainted Xpath (Java)
Cross Site Scripting In Error Message Web Page (Java)

Fortify6.10.0120

Hidden_Field

Implemented

Bibliography

...


...

Image Modified Image Modified Image Modified