WebApp Sec mailing list archives

Re: Social Security Number in Hidden field

From: snipe <snipe () snipe net>
Date: Sun, 23 Nov 2014 18:38:15 -0500

I can’t think of a single legitimate reason why SS# should be in a hidden field.

As to whether it’s a security risk, that depends on whether the intranet app is accessible from the outside world, 
whether it runs over SSL, etc. Does the hidden field only show up for admins? Given what seems like it might be lazy 
coding, I could imagine a scenario where if you’re not an admin, the hidden field doesn’t necessarily show up, but if 
you manually submit a SS# (via browser source editing or CSRF), it might not check for admin status before changing 
data on the backend. 

-- 

</snipe>
snipe () snipe net 
@snipeyhead on Twitter

snipe.net | snipeitapp.com | crankyhaiku.com | socialmediadouchebag.net | tumblr.snipe.net | downworthy.snipe.net 

"If we wish to count lines of code, we should not regard them as 'lines produced' but as 'lines spent.'"– Edsger 
Dijkstra



On November 23, 2014 at 6:20:07 PM, Robin Wood (robin@digi.ninja(mailto:robin@digi.ninja)) wrote:

Is there any reason for the SSN being included in the page? Is it
used, i.e. can it be edited on the page?
 
If not it shouldn't be there by the sound of it.
 
Robin
 
On 23 November 2014 at 20:12, Jyotiranjan Acharya
wrote:

Hello,

There is an application which is present in an intranet. When, the
Admin of the application loads the user information page, a field
called SSN appears. It shows ###-##-####. But the actual SSN remains
in a hidden field.

Do you think there should be a security issue with this ?

Regards
Jyoti



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

 
 
 
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

Social Security Number in Hidden field Jyotiranjan Acharya (Nov 23)
- Re: Social Security Number in Hidden field Robin Wood (Nov 23)
  - Re: Social Security Number in Hidden field snipe (Nov 23)
    - Re: Social Security Number in Hidden field Abhay Rana (Nov 23)
    - Re: Social Security Number in Hidden field Lorne Kates (Nov 23)
    - Re: Social Security Number in Hidden field Antti Virtanen (Nov 24)
    - RE: Social Security Number in Hidden field Jeffory Atkinson (Nov 24)
    - RE: [EXT] RE: Social Security Number in Hidden field Hambleton, Robert F (Nov 24)