I am starting to have a look at HTML form security. So far my research revealed three main attack vectors:
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS)
- SQL Injection
My question is: Are there more attack vectors for HTML forms than these? I am interested in a list of possible attacks through HTML forms.
A form is identical to a URI or headers in terms of being an injection vector for user-supplied data. The general "don't trust the client" rules apply as shown by the possibility of SQL injection, XSS, etc. So, forms that only rely on JavaScript validation without server-side validation are bad.
Problems more specific to forms include:
- Assuming type=hidden fields are not visible to or will not be manipulated by a user
- Not submitting sensitive data via HTTPS
- Incorrectly masking data (e.g. displaying last N digits of credit card to the user, but all digits are somewhere in the page anyway)
- For languages like PHP where GET and POST data can be accessed from different arrays, applying security checks to $_POST, but taking values from $_GET
Workflow or "business logic" problems aren't specific to forms, but they apply more often to the functionality often handled with them:
- Inadequate workflow enforcement, such as form A must be filled out before form B, but the state transition is tracked on the client side rather than the server side. (A user can skip a step that shouldn't be skipped.)
- Lack of rate limiting. This depends on context, e.g. hitting a form that sends emails to spams users or the ops team, repeatedly hitting an "apply discount" form to reduce a price, a search that requires full table scan might lead to a DoS.