The application must not store sensitive information in hidden fields.
An XCCDF Rule
Description
<VulnDiscussion>Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. However, hidden fields are not secure and can be easily manipulated by users. Information requiring confidentiality or integrity protections must not be placed in a hidden field. If data that is sensitive must be stored in a hidden field, it must be encrypted. Furthermore, hidden fields used to control access decisions can lead to a complete compromise of access control mechanisms allowing immediate compromise of the user's application session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-222601r961638_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Design and configure the application to not store sensitive information in hidden fields.
Encrypt sensitive information stored in hidden fields using DoD-approved encryption and use server side session management techniques for user session management.