Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Honeypot Processors: Hidden Input Form Processor

    Many webmasters create forms which post to a common form handling service; using hidden fields to indicate how the service should handle the data. A common hacking technique is to look for these hidden parameters and see if there is any way to change the behavior of the service by manipulating its input parameters. This processor is responsible for injecting a fake hidden input into forms in HTML responses and ensuring that when those values are posted back to the server, they have not been modified.

    Table 1: Hidden Input Form Processor Configuration Parameters

    Parameter

    Type

    Default Value

    Description

    Basic

    Processor Enabled

    Boolean

    True

    Whether traffic should be passed through this processor.

    Advanced

    Hidden Input Parameter

    Collection

    Collection

    The possible hidden inputs on a page.

    Inject Input Enabled

    Boolean

    True

    Whether to inject hidden inputs into HTML forms.

    Maximum Injections

    Integer

    3

    The maximum number of fake hidden parameters that will be added to any given URL.

    Strip Fake Input

    Boolean

    True

    Whether to remove the fake input value from the posted form results before proxying the request to the backend servers. This should only be turned off if there is some additional security implemented on the form, where its contents are signed on the client and validated on the server.

    Incident: Hidden Parameter Manipulation

    Boolean

    True

    The user submitted the form and the value of the injected parameter is not what was expected.

    Incident: Hidden Input Type Manipulation

    Boolean

    True

    The user submitted the form and the value of the injected parameter is not what was expected. It was also modified to post a file.

    Published: 2013-11-20