Re: [mod-security-users] Hidden Fields
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Hidden Fields
|
From: Markus R. <we...@mr...> - 2006-02-26 13:18:50
|
> >> 2) another >> way would be to use md5-hashes for hidden fields. compute md5-hashes of each >> or all hidden fields and send it also as hidden field. so you can recompute >> the hash and check whether values have changed or not. > > Note that hashing alone isn't sufficient because it's trivial for > the attacker to recompute the hash. You have to encrypt the hash too. > ok, just the md5-hash is not sufficient, but if you use an additional "salt"-value then it should be good enough. eg. <input name="id" type="hidden" value="1234"> then generate an md5-hash from "id1234mySecretSalt". this should be good enough as "mySecretSalt" could not be guessed that easy... markus |
