HTML Form Tampering in Perl
Last Updated :
14 Sep, 2021
Web applications use HTML forms to receive inputs from the user. HTML forms have one major drawback that a user can save the form in a file, edit it and submit the edited file of form back to the server. This problem results in worse because the web apps are “stateless” in nature. The transactions in HTTP are connectionless and are transmitted at one time. While collecting data of the user through forms, they have to go through a series of input forms for storing their information to the server. The “state” information is stored in the user’s browser and collectively sent back to the server on a transaction. This state information can be stored in 3 ways:
- ‘Cookies‘ in the browser
- Special tags in URL
- ‘hidden‘ fields in HTML forms
The most commonly used method in HTML forms is ‘hidden‘ fields. This helps to hide the input in the forms and is the simplest to use and can hold tons of data. However, while filling forms, the data is stored on the user’s web browser, they are easy to tamper with the hidden fields.
Example: A simple web application that allows users to ‘login’ and update their ‘mail address’ using CGI library in Perl.
Perl
#!/usr/bin/perl
use CGI qw/:standard/;
print "Content−type: text/html\n\n";
print '<html><body>';
print '<h1>Tampering Input Form Example</h1>';
$userid = 'GeeksforGeeks';
$credit_ok = 1;
$form_expires = '40002002:10:53:50';
if (! param('chaddr'))
{
print_form();
}
else {
print "You made this easy ", param('userid'), "<br>";
print "Your address information has been successfully updated.";
}
print "</body></html>";
sub print_form {
print<<END_TEXT;
method="post">
<table>
<tr>
<td><b>Address line A:</b></td><td><input type="text" name="addressA"></td>
<tr>
<td><b>Address line B:</b></td><td><input type="text" name="addressB"></td>
<tr>
<td><b>City:</b></td><td><input type="text" name="city"></td>
<tr>
<td><b>Prov:</b></td><td><input type="text" name="prov"></td>
<tr>
<td><b>Postal:</b></td><td><input type="text" name="postal"></td>
<tr><td colspan="2" align="center">
<input type="hidden" name="userid" value="$userid">
<input type="hidden" name="credit_ok" value="$credit_ok">
<input type="hidden" name="form_expires" value="$form_expires">
<input type="submit" name="chaddr" value="Change address">
</td></tr>
</table>
</form>
END_TEXT
}
|
On the above login page, we’ve skipped a login page for the web application and the script also doesn’t do anything with the data of the form. When we run the form in our web browser and consider the HTML source code. This form uses ‘hidden’ fields to save the information in the login process:
<input type=”hidden” name=”userid” value=”GeeksforGeeks”>
<input type=”hidden” name=”credit_ok” value=”1″>
<input type=”hidden” name=”form_expires” value=”40002002:10:53:50″>
On filling in some information in the form and on pressing the submit button, a confirmation screen uses the hidden field userID value, from the HTML form directly.
Tampering with the Form:
To tamper with an HTML form, press ‘Ctrl+S‘ to save the HTML form’s web page to your computer. The HTML form contains the ‘hidden‘ fields and can be edited using a text editor. Change the ‘userID‘ field and then save the edited file. Then open the same file in your web browser and submit the form. It will accept the edited file because the web application trusts the ‘hidden‘ fields.
Example: HTML form tampering by changing the hidden fields.
- Saving the above form by ‘Ctrl+S’
- Initially hidden fields in the form:
HTML
<input type="hidden" name="userid" value="GeeksforGeeks" type="hidden"/>
<input type="hidden" name="credit_ok" value="1"/>
<input type="hidden" name="form_expires" value="40002002:10:53:50"/>
|
- The ‘userid’ has the value “GeeksforGeeks” and the type is hidden.
- On Tampering the hidden fields in the form:
HTML
<input type="hidden" name="userid" value="Geeks123" />
<input type="hidden" name="credit_ok" value="1" />
<input type="hidden" name="form_expires" value="40002002:10:53:50"/>
|
- The ‘userid‘ value is changed from “GeeksforGeeks” to “Geeks123“, using a text editor. Then save the file and open this file in the web browser, filling the form, and press the submit button.
- On pressing the submit button:
Preventing HTML Form Tampering:
There are many solutions to the tampering of HTML forms. Some are given below:
- Secret Keys: One solution to HTML Form tampering is the use of Secret keys. It can detect the changes made in the fields, but it is not completely foolproof. This method relies on a secret key, which is stored on a web server. However, if you have a good amount of security from break-ins and modify the key regularly on your web server, It’s going to be secure enough.
- HTTP_REFERER: Senior developers might think that tampering can be stopped by the HTTP_REFERER variable checking. Many web browsers send a header- HTTP_REFERER, which contains the page URL, seen by the user before. For some simple web applications, the HTTP_REFERER contains only the URL of the application. When the user tries to tamper with the form by saving the form and then submitting it, the HTTP_REFERER becomes blank or will contain a different URL.
- Smashing/deleting cookies: Languages like Java and PHP save cookies on the webserver- which is the data of our session spend on the web. In this case, the data is not stored on the user’s web browser, it becomes difficult for the user to tamper with any data fields. The data from the server-side is referenced by a client-server identifier, in the form of a session ID which is stored as a cookie. Cookies are of two types:
- Transient (session) cookies- Which come without any expiry date.
- Persistent cookies- It comes with an expiry date, set in the future.
- Using Digest algorithms: Digest algorithms make a unique ‘signature’ string for any input fields. This makes it impossible for the user to tamper with the input fields of a form because these algorithms produce the same signature. These algorithms are used in VPNs, SSL browser connections, etc. for ‘signing’ data. It can also be used in web applications to sign the hidden fields. The most commonly used digest algorithm is the Message Digest 5 also called MD5. The better digest algorithm is SHA1 HMAC.
- Message Digest 5: It is a widely used digest algorithm, used in almost all web applications to sign the hidden fields but also suffers from tampering attacks. While using the MD5, a user can create a fingerprint of the hidden fields. He can concatenate the hidden field values in a string, and get a fingerprint by passing it through the digest algorithm and sent to another hidden field. However, this can be stopped from tampering by adding a secret component to the fingerprint which the user may never know.
- HMAC standard: The standard way of using a digest algorithm is HMAC. This algorithm hides the input fields using two keys and three iterations, through MD5 or SHA1.
Example: A web application to change the ‘address’ of the user using the ‘MD5’ digest algorithm in the form to make it tamper-proof using CGI library in Perl.
Perl
#!/usr/bin/perl −T
use Digest::MD5 qw(md5_base64);
use CGI qw/:standard/;
$secretkey = 'Geeks_for_Geeks_123';
print "Content−type: text/html\n\n";
print '<html><body>';
print '<h1>Tamper proof form example</h1>';
$userid = 'GeeksforGeeks';
$credit_ok = 1;
$form_expires = '30004004:11:52:40';
if ( ! param('chaddr') ) {
$signature = sigMD5( 'create', $secretkey, '$userid', '$credit_ok',
'$form_expires');
print_form();
}
else {
if ( sigMD5( 'check', $secretkey, 'userid', 'credit_ok',
'form_expires' ) eq param('signature') ) {
print "You made this easy ", param('userid'), "<br>";
print "You've successfully updated your address information.";
}
else {
print "ERROR: 'Hidden' fields were tampered with!";
}
}
print "</body></html>";
sub print_form {
print<<END_TEXT;
<table>
<tr>
<td><b>Address line A:</b></td><td><input type="text" name="addressA"></td>
<tr>
<td><b>Address line B:</b></td><td><input type="text" name="addressB"></td>
<tr>
<td><b>City:</b></td><td><input type="text" name="city"></td>
<tr>
<td><b>Prov:</b></td><td><input type="text" name="prov"></td>
<tr>
<td><b>Postal:</b></td><td><input type="text" name="postal"></td>
<tr><td colspan="2" align="center">
<input type="hidden" name="userid" value="$userid">
<input type="hidden" name="credit_ok" value="$credit_ok">
<input type="hidden" name="form_expires" value="$form_expires">
<input type="hidden" name="signature" value="$signature">
<input type="submit" name="chaddr" value="Change address">
</td></tr>
</table>
</form>
END_TEXT
}
sub sigMD5 {
my $mode = shift;
my $key = shift;
my @names = @_;
my $values = '';
my $fieldname;
foreach $fieldname (@names) {
if ($mode eq 'create') {
$values .= $fieldname . eval $fieldname;
} else {
$values .= '$' . $fieldname . param($fieldname);
}
}
$values = $key . $values;
return md5_base64($values);
}
|
- On the above login page, when we run the form in our web browser, and consider the HTML source code. The form contains a new hidden field “signature” storing an MD5 ‘fingerprint‘.
<input type =”hidden” name =”userid” value = “GeeksforGeeks”>
<input type =”hidden” name =”credit_ok” value = “1”>
<input type =”hidden” name =”form_expires” value = “30004004:11:52:40”>
<input type =”hidden” name =”signature” value = “OZ+1iYhIPiDw5hJdtjywQA”>
- The above fingerprint/signature value was generated using ‘names’ and ‘values’ from the hidden fields, and also from ‘secret key’ which is stored on the server.
- On submitting the form by the user, contents from the hidden fields get combined with the secret key, generating an MD5 fingerprint. One way of checking that the fields have not tampered with is by matching the ‘signature’ produced by an MD5 with the signature in the original form.
The above methods can be used to prevent HTML form, from tampering to a great extent, but they are not completely foolproof.
Example: HTML form tampering by changing the hidden fields in the form, which is using MD5 digest algorithm.
- Saving the above form by ‘Ctrl+S‘
- Initially hidden fields in the form:
HTML
<input type="hidden" name="userid" value="GeeksforGeeks" type="hidden" />
<input type="hidden" name="credit_ok" value="1" />
<input type="hidden" name="form_expires" value="30004004:11:52:40" />
<input type="hidden" name="signature" value="OZ+1iYhIPiDw5hJdtjywQA" />
|
The ‘userid‘ has the value “GeeksforGeeks” and the type is hidden.
- On Tampering the hidden fields in the form:
HTML
<input type="hidden" name="userid" value="Geeks123" type="hidden" />
<input type="hidden" name="credit_ok" value="1" />
<input type="hidden" name="form_expires" value="30004004:11:52:40" />
<input type="hidden" name="signature" value="OZ+1iYhIPiDw5hJdtjywQA" />
|
- The ‘userid‘ value is changed from “GeeksforGeeks” to “Geeks123“, using a text editor. Then save the file and open this file in the web browser, filling the form, and press the submit button.
- On pressing the submit button:
- Now checking the HTML source code of the submitted form.
HTML
<input type="hidden" name="userid" value="Geeks123" type="hidden" />
<input type="hidden" name="credit_ok" value="1" />
<input type="hidden" name="form_expires" value="30004004:11:52:40" />
<input type="hidden" name="signature" value="KJ+1oUbLiDqf9kWcymuvAL" />
|
The web application was using the MD5 digest algorithm, which prevents tampering with HTML forms. The difference can be clearly on comparing the original signature- ‘OZ+1iYhIPiDw5hJdtjywQA’ with the signature obtained- ‘KJ+1oUbLiDqf9kWcymuvAL’ after the form has been submitted.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...