Page 1 of 1

How to keep form data from being viewed in source

Posted: Wed Jun 14, 2006 1:27 pm
by daedalus__
Okay.

My work is developing an online store for their current (ASP) website.

The guy and I are trying to figure out how to obscure our form data so that a malicious user viewing the source can't read any of the data.

It's a crappy CC verification software and company and I have no idea how any of their stuff works. Their guide recommended that we use a server side language to pass sensitive information to the next page in the form.

All I can say is "WTF"?

My first thought was, instead of using "hidden" form fields, maybe we can use a server side language to post values we do not want seen to the next page. It's probably a stupid idea, but it was a thought.

The second thing I thought of was to simply encrypt the sensitive information. I think this would work best but he wants to hide the form names as well.

I remembered a neat trick I saw on a website once. They sell website templates and let you view them in their entirety but when you view the source it's a very long encrypted string surrounded by one or two functions that unencrypt and output it to the browser. Now, I don't know how or where they hid the actual function definitions but I know that the trick fooled me long enough for me to become disinterested and move on.

I am wondering if any of these methods will work, and what your recommendation for securing this data is.

Now, I know that this may not be enough to go on and I know as much about the problem as I have told you all. He just asked "how can i secure the data in this form so people viewing the source can't view it". I am merely trying to answer his question so please bear with me, even if it is a stupid one.

Re: How to keep form data from being viewed in source

Posted: Wed Jun 14, 2006 1:33 pm
by Roja
Daedalus- wrote:"how can i secure the data in this form so people viewing the source can't view it"
You can't.

Not effectively, not reliably, can't be done. All you can do is *obscure* the data to make it harder to view it. Can't != harder.

Posted: Wed Jun 14, 2006 1:38 pm
by daedalus__
He asked not me.

If you know a good method of obscuring the data, maybe you could share?

Sharing is caring :)

Posted: Wed Jun 14, 2006 1:44 pm
by Roja
Daedalus- wrote:He asked not me.

If you know a good method of obscuring the data, maybe you could share?

Sharing is caring :)
If there was a good method, I would. There isn't. All of them simply increase the difficulty, none much better than another. With a good proxy, or with a good browser plugin, you can see right through most of the obfuscation techniques with a couple of clicks.

Posted: Wed Jun 14, 2006 1:55 pm
by daedalus__
I see.

Well, I understand what his "problem" is now because I just went to talk to him.

It's nothing that anyone can help. The company processing our transactions certainly isn't very smart though. Thanks for the help though ^^

Posted: Fri Jun 16, 2006 12:10 pm
by bg
Why is sensitive data being stored in hidden forms? Thats the real question.

Posted: Fri Jun 16, 2006 3:33 pm
by printf
You can always use SSL by way of passing the post via a internal function, fsockopen(SSL://), CURL(SSL) or directly with the default OpenSSL binary on Windows or all flavors of Unix/Linux/Mac. That is as safe as you will ever get!


pif!