UCF STIG Viewer Logo

The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16813 APP3610 SV-17813r1_rule DCSQ-1 High
Description
Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete compromise of access control mechanism allowing immediate anonymous user access.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17812r1_chk )
Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details.

If the results are provided from a manual code review, the application representative will need to demonstrate how hidden field vulnerabilities are identified during code reviews.

Hidden fields or input parameters that utilize randomly generated token values used to address Cross Site Request Forgery (CSRF) attacks and are not used for access control are not applicable.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify hidden field vulnerabilities, this is a CAT I finding.

2) If the code review results are provided and hidden field vulnerabilities exist for user authentication, this is a CAT I finding.

3) If the code review results are provided and hidden field vulnerabilities exist allowing users to access unauthorized information, this is a CAT II finding.
Fix Text (F-17112r1_fix)
Do not use Hidden fields to control access privileges.