Imagine a very insecure form, which emailed a password or other sensitive information to a given email address. Imagine again, if you will, that this email address was hard coded into a hidden form field called, say, ‘to’. This is incredibly insecure and here’s why;
With javascript turned on in your browser one can inject their own email address in the place of this one to get the form. All one needs to do is to look at the source code to see how many forms there are on the page. Count from zero upwards to the form you need and reference it like this:
Navigate to a page with said forĀ in it. Let’s say it is the first form in the source code, therefore we reference it with a ’0′ (second one will be a ’1′ and so on). The form, we know from the source code, has a field called ‘to’, so we want to set it to a new value. Now type this into the browser address bar:
javascript:void(document.forms[0].to.value=”me@example.com”)
To check the value has changed type this:
javascript:alert(document.forms[0].to.value)
Now when you submit the form, it will be submitted with the ‘to’ value of me@example.com. Simple. It is easy to imagine all sorts of variations on this theme, so awareness is an important tool in protecting against it.
To protect your forms against this, you must have some sort of server side checking in the target url to check for correct email addresses. There is two ways to do this; white listing and blacklisting. Whitelisting is a list, perhaps an array or database resource, of all allowed email addresses that can be accepted into the form processing script. All other values are logically rejected by the script. This is a more secure option. A blacklist, less useful but worth mentioning, is where you allow all values, except specified ones. Blacklisting is only really useful if you know that there are only specific examples of values you wish to disalllow (for example removing rude words from a message).
I hope this article has been insightful and helpful.