CS.SV.HIDDEN

Avoid using hidden form fields to store content with potential security impact.

The program creates a hidden form field. Programmers often trust the contents of hidden fields, expecting that users will not be able to view them or manipulate their contents. Attackers will violate these assumptions. They will examine the values written to hidden fields and alter them or replace the contents with attack data.

Mitigation and prevention

To resolve the issue, either mark the code which calls the Assert with the SecurityCriticalAttribute, or remove the Assert.

Example

Copy

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  using System;
  using System.Security;
  using System.Security.Permissions;
  
  namespace TransparencyWarningsDemo
  {
  
      public class TransparentMethodsUseSecurityAssertsClass
     {
        public void test()
        {
             HtmlInputHidden hidden = new HtmlInputHidden();
        }
     }
 }

If hidden fields carry sensitive information, this information will be cached the same way the rest of the page is cached. This can lead to sensitive information being tucked away in the browser cache without the user's knowledge.

CS.SV.HIDDEN_FORM

Mitigation and prevention

Example