Re: [mod-security-users] Hidden Fields
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Hidden Fields
|
From: Ivan R. <iv...@we...> - 2006-02-26 13:43:25
|
Markus Rietzler wrote: >>> 2) another >>> way would be to use md5-hashes for hidden fields. compute md5-hashes of each >>> or all hidden fields and send it also as hidden field. so you can recompute >>> the hash and check whether values have changed or not. >> Note that hashing alone isn't sufficient because it's trivial for >> the attacker to recompute the hash. You have to encrypt the hash too. >> > > ok, just the md5-hash is not sufficient, but if you use an additional > "salt"-value then it should be good enough. eg. > > <input name="id" type="hidden" value="1234"> > > then generate an md5-hash from "id1234mySecretSalt". this should be good > enough as "mySecretSalt" could not be guessed that easy... Agreed, that would also work. Finally, you would also need a mandatory per-form field so that, when you receive the form data from the user, you know how many hidden fields were there. Since you are also likely to rotate the encryption key (or the salt), this field also needs to contain a timestamp to help you find the key. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall Apache Security (O'Reilly): http://www.apachesecurity.net |
