WebApp Sec mailing list archives

Re: Social Security Number in Hidden field

From: Abhay Rana <capt.n3m0 () gmail com>
Date: Mon, 24 Nov 2014 05:24:02 +0530

No, putting it in a hidden field is same as showing it to a tech-savvy
admin. Unless admins are supposed to see the SSN (and are authorized
to), there is no reason for it to be in a hidden field.

If you really need it there (for some future requests in the form), it
might be better to instead put the SSN's unique ID from the database
(1,2,3) in the hidden field, and using it to get the SSN in the next
request on the server side.

--
Nemo



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

Social Security Number in Hidden field Jyotiranjan Acharya (Nov 23)
- Re: Social Security Number in Hidden field Robin Wood (Nov 23)
  - Re: Social Security Number in Hidden field snipe (Nov 23)
    - Re: Social Security Number in Hidden field Abhay Rana (Nov 23)
    - Re: Social Security Number in Hidden field Lorne Kates (Nov 23)
    - Re: Social Security Number in Hidden field Antti Virtanen (Nov 24)
    - RE: Social Security Number in Hidden field Jeffory Atkinson (Nov 24)
    - RE: [EXT] RE: Social Security Number in Hidden field Hambleton, Robert F (Nov 24)