Can hidden fields be edited by the user?

Question

adding in security questions so that users may reset their passwords if they exceed maximum attempts. is it bad to do hidden fields such as these for authentication mechanism?

<input type="hidden" name="securityAnswered" value=true>
<input type="hidden" name="exceededAttempts" value=true>

could a user go in and edit these hidden fields from the client side?

If you are using google chrome or firefox you can change it simple , just Right-click and select the Inspect Element Item , then you can change the value of client side things — Mohsen_Fatemi, Sep 25 '16 at 07:56
In your console, do: `document.querySelector("input[name=securityAnswered]").value = "wibble"` — Tibrogargan, Sep 25 '16 at 08:04

score 6 · Answer 1 · answered Sep 25 '16 at 07:49

6

could a user go in and edit these hidden fields from the client side?

Of course! Anything on the client side can be edited. You cannot stop users from doing that.

You have to keep in mind that the client can post to the server any content, any time.

answered Sep 25 '16 at 07:49

Ionică Bizău

109,027
88
289
474

ok, so what would be another way to send this information from the form to the server? – rtd353 Sep 25 '16 at 07:51
1

@rtd353 The validation should be done on the server. There's no other way: the client posts the data and the server receives and **validates** it. – Ionică Bizău Sep 25 '16 at 07:52
This is true but I just want to add that you could still use a secure session if you really wanted to save data on the client side. – Philip Feldmann Sep 25 '16 at 07:55
@PhilipFeldmann Ah, that's a good point! But I guess it's much better to store that information on the server only, in the session. – Ionică Bizău Sep 25 '16 at 07:58
@ionica i am validating on the server. i only added the securityAnswered hidden field to the reset password so that way if the user submits invalid password it will indicated that security question has been answered so the user can try reseting again. – rtd353 Sep 25 '16 at 07:59
@rtd353 In fact, these values can remain on the server, they don't have to be sent to the client. – Ionică Bizău Sep 25 '16 at 07:59

score 0 · Answer 2 · answered Sep 25 '16 at 07:51

0

yes of course , any one can change it by clicking in ctrl+maj+i

answered Sep 25 '16 at 07:51

user3432221

13
2

Fun Fact: `EN-US` will recognize the `maj` modifier as the `shift` key, albeit with subtle nuances. Read more in [this SO question](https://stackoverflow.com/questions/23008486/shift-shortcut-being-displayed-as-maj-for-culture-nl-be-when-it-should-be-shif). – Ed Shelton Jul 16 '23 at 13:27

score 0 · Answer 3 · answered Sep 26 '16 at 11:05

Yes, penetration testers do this all the time using intercepting proxies such as Burp or Zap.

https://portswigger.net/burp/proxy.html https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

There are many other ways of modifying such data, including developer tools in the browser.

Can hidden fields be edited by the user?

3 Answers3

Linked