Web Application Security
Social Security Number in Hidden field Nov 23 2014 08:12PM
Jyotiranjan Acharya (jyotiranjan121 gmail com) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 10:28PM
Robin Wood (robin digi ninja) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 11:38PM
snipe (snipe snipe net) (1 replies)
Re: Social Security Number in Hidden field Nov 23 2014 11:54PM
Abhay Rana (capt n3m0 gmail com) (2 replies)
RE: Social Security Number in Hidden field Nov 24 2014 03:17PM
Jeffory Atkinson (jatkinson zelvin com) (1 replies)
RE: [EXT] RE: Social Security Number in Hidden field Nov 24 2014 08:58PM
Hambleton, Robert F (RHamble citgo com)
I completely agree. Even with just the last 4 digits, the application needs to have a role based security framework, the pages should be non-caching and SSL should be utilized. This would be for intranet and internet based applications, traffic can be sniffed on any network.

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Jeffory Atkinson

Sent: Monday, November 24, 2014 9:18 AM

To: 'Abhay Rana'; webappsec (at) securityfocus (dot) com [email concealed]

Subject: [EXT] RE: Social Security Number in Hidden field

In this day in age the SSN should never be a hidden variable. SSN should be treated nearly like a password. If an application needs the ssn for some sort of operations it should be masked and index on the back end. (Ie. if the application is providing the ssn number it should look something like xxx-xx-1234 at a min and the variable within the html should be should be a reference point that translates to the true value on the backend.) The only time a ssn should be transmitted is from the user. No application should transmit it to the user.

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Abhay Rana

Sent: Sunday, November 23, 2014 6:54 PM

To: webappsec (at) securityfocus (dot) com [email concealed]

Subject: Re: Social Security Number in Hidden field

No, putting it in a hidden field is same as showing it to a tech-savvy admin. Unless admins are supposed to see the SSN (and are authorized to), there is no reason for it to be in a hidden field.

If you really need it there (for some future requests in the form), it might be better to instead put the SSN's unique ID from the database

(1,2,3) in the hidden field, and using it to get the SSN in the next request on the server side.

--

Nemo

This list is sponsored by Cenzic

--------------------------------------

Let Us Hack You. Before Hackers Do!

It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!

http://www.cenzic.com/2009HClaunch_Securityfocus

--------------------------------------

This list is sponsored by Cenzic

--------------------------------------

Let Us Hack You. Before Hackers Do!

It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!

http://www.cenzic.com/2009HClaunch_Securityfocus

--------------------------------------

[ reply ]
Re: Social Security Number in Hidden field Nov 24 2014 04:31AM
Lorne Kates (lkates gmail com) (1 replies)
Re: Social Security Number in Hidden field Nov 24 2014 07:11AM
Antti Virtanen (Antti Virtanen solita fi)


 

Privacy Statement
Copyright 2010, SecurityFocus