Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16813 | APP3610 | SV-17813r1_rule | DCSQ-1 | High |
Description |
---|
Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete compromise of access control mechanism allowing immediate anonymous user access. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17812r1_chk ) |
---|
Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how hidden field vulnerabilities are identified during code reviews. Hidden fields or input parameters that utilize randomly generated token values used to address Cross Site Request Forgery (CSRF) attacks and are not used for access control are not applicable. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify hidden field vulnerabilities, this is a CAT I finding. 2) If the code review results are provided and hidden field vulnerabilities exist for user authentication, this is a CAT I finding. 3) If the code review results are provided and hidden field vulnerabilities exist allowing users to access unauthorized information, this is a CAT II finding. |
Fix Text (F-17112r1_fix) |
---|
Do not use Hidden fields to control access privileges. |