Is using hidden fields in forms to send sensitive data a good option?

Question

I am not much familiar with web security, but trying to develop a django based application. For payments, I am using Payu payment gateway, integrated successfully following the documentation.

In payment url I have to post some sensitive information like - merchant_key, txnid along with user information, for sensitive data I am using hidden fields but I don't think it is a good option because anyone can see my sensitive data in source code.

<form action="https://test.payu.in/_payment" name="payuForm" method="post">
<input type="hidden" name="csrfmiddlewaretoken" value="pOz2jZlcwLuLJRfBor9xqr4KIXtqGUCmcUSdZl6QeIXZnKc00ApNU2BxInA94Esy">
<input type="hidden" name="key" value="123456789">
<input type="hidden" name="hash" value="98231e7321875de86639070b07a1940effad7cac37e15e277f62e6d9c9488085cd060a3b9963864f2b10a334f2c04be4387b3fe24422d01cf5ed49d1a54c39f0">
<input type="hidden" name="txnid" value="833657e26b12fde34b620c67a3a8646c">
<input type="hidden" name="amount" value="1.0">
<input type="hidden" name="email" value="pankaj@gmail.com">
<input type="hidden" name="firstname" value="Pankaj">
<input type="hidden" name="phone" value="9950542612">
<input type="hidden" name="productinfo" value="Message showing product details.">
<input type="hidden" name="surl" value="http://127.0.0.1:8000/orders/payment/success">
<input type="hidden" name="furl" value="http://127.0.0.1:8000/orders/payment/failure">
<!-- <input type="hidden" name="service_provider" value="" /> -->

<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Amount : 1.0
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Purpose : Message showing product details.
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Name : Pankaj
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Email : pankaj@gmail.com
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Mobile : 9950542612
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12">
        Transaction ID : 833657e26b12fde34b620c67a3a8646c
    </div>
</div>
<div class="form-group">
    <div class="col-md-12 col-sm-12" style="padding-bottom:20px;padding-top:20px;">
        After clicking 'Pay Now' button, you will be redirected to PayUMoney Secure Gateway.
    </div>
</div>

<div class="form-group">
    <div class="col-md-12 col-sm-12">
        <input type="submit" class="btn btn-success btn-sm" value="Pay Now">
    </div>
</div>

Is it a only way to post data to url, I tried to post data with redirect but because of some security issues we can't post data with redirect - see this.

If anyone can help to understand this.

The sensitive data you are referring to is unique/belongs to each user? — Enrico, Jul 25 '18 at 11:44
one is my unique `merchant_key` that is given by payment gateway provider, and also some unique and not shareable data — Pankaj Sharma, Jul 25 '18 at 11:50
Is this a confirmation page? Or you need to allow any user to fill a form and post submit to endpoint? — SanathT, Jul 25 '18 at 12:01

score 0 · Answer 1 · answered Jul 25 '18 at 12:20

0

You should not share sensitive information with hidden fields because that may lead to serious data leak.

However if you have scenarios where you have to share some related information to one service to another then you can do it with database call with relevant foreign key(ex. userid,sessionid etc), and you can make dbcall with your backend which can be secure as you need.

answered Jul 25 '18 at 12:20

Simmant

1,477
25
39

I am using third party and have to send data through post, and according to that data the third party will handle the user, first see what actually the question is. – Pankaj Sharma Jul 25 '18 at 12:38
Is there any backend you are using, like asp, java etc?? – Simmant Jul 25 '18 at 12:43
If yes then best way to call payment api with Http/Https client, rather calling API directly. – Simmant Jul 25 '18 at 12:46
My bad I missed that tag, but this will work same for Django or any other platform, this will may help for django http://www.django-rest-framework.org/topics/api-clients/ – Simmant Jul 25 '18 at 12:51

score 0 · Answer 2 · answered Jul 25 '18 at 12:20

If you send sensitive data like this to third party service endpoint.can access those details from browser. Even if you used fronted frameworks like js frameworks . But if this is confirmation page, those details belong to the same user which the data entered. From that point of view it is ok to send like this. But this is not a good way to use. Still these data can be retrieve by js injection or via browser plugin or extension etc. So one solution is to handover this functionality to backed script (Think that page was created via php/jsp/asp). Or you need to use strong encryption mechanism when sending those details. Search about HTTPS also.

I can post data to url but user should also redirected to that page, if I use backend to do so, then only possible with redirect but this is a restriction of HTTP that POST data cannot go with redirects, any good solution for that ? — Pankaj Sharma, Jul 25 '18 at 12:36

Is using hidden fields in forms to send sensitive data a good option?

2 Answers2