Form builder submission: if 'form' hidden input is tampered with, page errors. It should 404.

Description

A penetration test, for example, might inject this form field with SQL injection attacks. If it gets back a 500 response, it may mark the page as being potentially vulnerable.

The response in this case should be a 404 because the form ID supplied is not found. This will not affect any real users, but ensure that the application responds correctly and without error in other scenarios.

Environment

None

Assignee

Unassigned

Reporter

Dominic Watson

Labels

None

Accepted

Yes

Fix versions

Priority

Medium
Configure