How to detect hidden field tampering?

Posted by Myron on Stack Overflow See other posts from Stack Overflow or by Myron
Published on 2010-04-13T19:36:35Z Indexed on 2010/04/13 19:43 UTC
Read the original article Hit count: 443

Filed under:
|
|
|

On a form of my web app, I've got a hidden field that I need to protect from tampering for security reasons. I'm trying to come up with a solution whereby I can detect if the value of the hidden field has been changed, and react appropriately (i.e. with a generic "Something went wrong, please try again" error message). The solution should be secure enough that brute force attacks are infeasible. I've got a basic solution that I think will work, but I'm not security expert and I may be totally missing something here.

My idea is to render two hidden inputs: one named "important_value", containing the value I need to protect, and one named "important_value_hash" containing the SHA hash of the important value concatenated with a constant long random string (i.e. the same string will be used every time). When the form is submitted, the server will re-compute the SHA hash, and compare against the submitted value of important_value_hash. If they are not the same, the important_value has been tampered with.

I could also concatenate additional values with the SHA's input string (maybe the user's IP address?), but I don't know if that really gains me anything.

Will this be secure? Anyone have any insight into how it might be broken, and what could/should be done to improve it?

Thanks!

© Stack Overflow or respective owner

Related posts about security

Related posts about hidden-field