A penetration tester is conducting an assessment of a web application's login page. The tester needs to determine whether there are any hidden form fields of interest. Which of the following is the most effective technique?
Hidden form fields in web applications can store user roles, session tokens, and security parameters that attackers may exploit.
HTML scraping (Option D):
Involves analyzing HTML source code to find hidden fields like:
<input type='hidden' name='admin_access' value='true'>
Attackers use tools like Burp Suite, ZAP, or browser developer tools (Ctrl+U or Inspect Element) to locate hidden fields.
Incorrect options:
Option A (XSS): Exploits JavaScript injection, not for finding hidden fields.
Option B (On-path attack): Involves MITM interception, not directly analyzing form fields.
Option C (SQL injection): Targets databases, not HTML forms
Currently there are no comments in this discussion, be the first to comment!