In the form of my web application, I have a hidden field that I need to protect against unauthorized access for security reasons. I am trying to find a solution in which I can determine whether the value of the hidden field has been changed and react accordingly (i.e.With the error message "Something went wrong, try again"). The solution must be safe enough so that brute force attacks are not feasible. I have a basic solution that I think will work, but I'm not a security expert, and I can skip something at all.
My idea is to display two hidden inputs: one with the name "important_value" containing the value that I need to protect, and one with the name "important_value_hash" containing the SHA hash of the important value associated with a constant long random string (i.e. .the same line will be used every time). When the form is submitted, the server will recalculate the SHA hash and compare it with the important_value_hash value provided. If they do not match, the important value has been changed.
I could also combine the extra values with the SHA input string (maybe the user's IP address?), But I don't know if this really brings me anything.
Would it be safe? Can anyone understand how this can be broken, and what can / should be done to improve it?
Thank!
It would be better to keep the hash on the server side. It can be assumed that an attacker could change the value and generate his own SHA-1 hash and add a random string (they can easily understand this from accessing the page several times). If the hash is on the server side (possibly in some kind of cache), you can recalculate the hash and check it to make sure that the value has not been changed in any way.
EDIT
I read the random string question (constant salt) incorrectly. But, I think the starting point is still worth it. An attacker could create a list of hash values that match a hidden value.
, , , , , . , , , .
nifty, "" / , /, , .
do-not-tamper - , , .
, , :
-
... - . . , . . , . (, RSA) . (, DSA) ....
, HMAC , . , , , , , , , . " " .
, , , HTTP- ( ), , , , .
/ - , , .
, . , , :
(.. )
, /login/sesison, .
" " , .
, / " ".
, , , , Cross Site Request.
HTML , HTTP-. , , , cookie/ , - , HTTP- .
, . , ASP.NET MVC canary , , , RNGCryptoServiceProvider, DateTime ( UTC), , . AES Encryption 256- , .
RNGCryptoServiceProvider