Skip to content
Advertisement

HTML form rendering with weird hidden input fields

I have a new ecommerce site, which uses lead forms to collect customer info. On our live production site, there are hidden input fields with encrypted looking name and value attributes. Here is an example:

<input type="hidden" name="fxOAgTXmrd_k" value="MHVgCPf2J">  
<input type="hidden" name="jEvdKncJwDa" value="UFQPsvy5bx60OL">
<input type="hidden" name="lcZhEMQDb-" value="nNrvImtYAwde]L">

These fields are not present in the template code, so I don’t know why or how they are getting added to the live pages. I don’t see these fields in my local or remote staging environments.

This is a WordPress site, custom theme. I’m not sure if that is relevant.

Any idea what the purpose of these hidden fields is? Is it possible this is some sort of hacking attempt? The forms seem to submit and redirect as expected.

Advertisement

Answer

What you describe looks like CSRF Tokens.

What are CSRF tokens?

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.

[…]

How should CSRF tokens be transmitted?

CSRF tokens should be treated as secrets and handled in a secure manner throughout their lifecycle. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

<input type=”hidden” name=”csrf-token” value=”CIwNZNlR4XbisJF39I8yWnWX9wX4WFoz” />

Source: https://portswigger.net/web-security/csrf/tokens

User contributions licensed under: CC BY-SA
8 People found this is helpful
Advertisement