Saturday, August 31, 2013

Transmitting Data Via Hidden Form Fields

It is pretty obvious thing that web application passes data to user in different form. Its not the only one way transaction,sometimes user also need to parse the data to the server in form of login credentials, registration, file upload etc..

One way of transmitting data which are not modifiable directly at client side is Hidden HTML Form Fields. While creating a webpage some fields are created in with hidden type so that it wont be appear at client side but everyone will be interacting with that indirectly. To illustrate this lets take an example.

Let's suppose any online purchasing website. If customer is going to buy a product then only modifiable value at client side will be quantity only. How much quantity a customer is going to buy that has to be filled by client only. If customer selects quantity 2 so there will be a function at client side that price will be multiplied by the quantity and will be displayed on the screen. Thus how whole payment transaction is carried away. In this case price field's value is written hidden type in html page rather than normal one. Because website owner does not want customer to change prize it has to be static. So that remains hidden not modifiable.

Lets have a look at below pic.

lets suppose its a web page of some xyz shopping website. Here only modifiable field is quantity  product name and Price field are hidden as website administrator does not want it to be changed by user or client side(pretty obvious).

Source code of this thing can be as follows :

<form method = "post" action = "order.php?id=5" >
Product Name : Nekiaa Asha phone 3320 </br>
Product Price : 20,000 INR </br>
Enter Quantity : <input type = "text" name = "quantity" > </br>
<input type = "hidden" name= "product_price" value = "20000" >
<input type = "submit" value ="buy" >

Have you noticed that form field Product price is set to hidden and it's value 20000 will be directly submitted to the server as soon as user click on the button named BUY.

While submitting the value if we check for the content header it will be something like as below.

POST /mobiles/nekiaa/order.php?id=5 HTTP/1.1
Content Type: application/x-www-form-urlencoded
Content-Length: 25


However price field wont be displayed on the screen as well as this header too. It is clear that user can neighter see this header nor edit the price field.

One way to achieve this task is to intercept the proxy. It is also called as modifying the desired on the fly. Basic function of proxy is that, it sits quite between web server and your browser application. Main role of proxy is to intercept each and every inbound and outbound requests happening between server and client.

I am not going to that much of in detail that how to set up burp proxy(We will be using burp proxy here) there are couple of videos on you tube regarding that.

So after setting burp proxy we will open that order page in browser, then we will also add the number in quantity and before submitting it to the server we will start burp proxy intercept ON. Then as soon as we will click on BUY button we will see below result in our burp proxy.

Now while submitting the value we can see I got this header now here i selected 2 quantity so server has done calculation as per their method and it was going to submit 40000 value of 2 mobile as this value was not modifiable from client's browser. Here I can modify this value and will click on the forward button so that my new value(probably less :D )  will be given to server and if they do not have more security at server side then I will probably get 2 mobiles in less then 40000 value.

As this is for just educational purpose only my intention was to teach how can we penetrate HIDDEN fields of form and can do something new to web application.