Modern browsers helpfully remember your contact, address, and payment details to autofill forms. But what happens when those details slip into places you don’t see?

When you click a field and hit autofill, you’re not just filling in what you see. Hidden or off-screen fields can quietly collect that same data without you noticing. A sneaky developer (or malicious adversaries) can easily abuse this to grab extra details you never meant to share.

Your Browsers Autofill Feature​

By default, modern browsers offer to store your personal information such as your name, email, phone number, physical address, and even payment card details each time you submit a web form. Many would accept this prompt without much thought. It feels harmless. After all, it saves time having to fill this out every time and on every website. But from a security perspective, it comes with a critical blind spot. The same convenience that fills the visible fields can silently supply hidden or off-screen inputs with exactly the same data.

So what exactly is the issue?​

Let's go to this harmless page where you can subscribe to a mailling list. Thanks to the browser, it autofills your name and email. And that's all.. right?... right? Well... no.

Looking at the console, we can see the data that was actually sent via the form: The form has sent to the adversary:

• Full name
• Email
• Phone number
• Organisation
• Address
• Postcode
• City
• Country

That's a lot more information then the victim intended.

The same can be done for autofilling payment card details. It's more obvious then before, but people may still expect it just to pull the name off the stored payment card, not share the payment card details in its entirety.

Looking at the console, again we can see the data that was actually sent via the form:

The adversary has been sent the:

• Payment card name
• Payment card number
• Payment card expiry
• Payment card CVC code

How does this happen?​

When you visit a site and click a field in a web form, the browser will try to match your saved details to the input field in the HTML. It does this by inspecting attributes like name. For example in my demo:

<input id="email" name="email" type="email" placeholder="Your Email">

When you click 'autofill', it doesn't just fill that single field, but scans the entire form for other fields whos name matches known categories. Any matching fields get populated immediately. The problem is that this happens whether they're visible or not to the user.

In my demo code, the visible fields look innocent enough:

<input id="name" name="name" type="text" placeholder="Your Name">
<input id="email" name="email" type="email" placeholder="Your Email">

But hidden fields can be added using CSS tricks like position: absolute; left: -9999px; or a custom hidden class:

<p class="hidden">
  <input id="phone" name="phone" type="text" placeholder="Your Phone">
</p>
<p class="hidden">
  <input id="address" name="address" type="text" placeholder="Your Address">
</p>

To the user these fields don't exist as they are never rendered on screen. But to the browser's autofill logic, they're just more form inputs that match saved data. So when the user triggers autofill on the visible fields, the browser quietly fills the hidden ones too. There’s no check for visibility: hidden, display: none, or off-screen positioning. The matching is purely name based.

Has this been reported?​

One of the earliest references I could find was back in 2012, a user submitted the issue Chrome's Autofill feature circumvents anti-spam honeypot hidden form field techniques. It's not closed off yet either, but this focuses on a different side affected of this. Using hidden form elements for phishing is not a new concept though as other GitHub PoCs exist demonstrating the root issue.

The truth is that it's a balancing game between the user experience and security. It would be easy enough to not auto fill on fields where class="hidden", but as soon as this feature is implemented, adversaries will find another, smarter way to hide the form.

In early 2022 Hack The Box (HTB) released their first certification - the Certified Bug Bounty Hunter. They claim that "certification holders will possess technical competency in the bug bounty hunting and web application penetration testing domains at an intermediate level".

No - you don't need a certification to be bug bounty hunter, so the certification is essentially for junior web application penetration testers or web developers who want to understand the web penetration testing domains up to an intermediate level.

Since I was already familiar with HTB, I decided to give it a shot and started the pathway a few months ago. At this time, there was little information about the certification online, although it appears to be picking up in popularity recently - so I decided to share my experience with the exam with the hopes that it could answer a question someone may have about the process.

The Course Content:​

HTB estimates that completing the course contents will take around 144 hours. If you're very committed to it, you could complete the content within a month but this will only hurt you when you take the exam if you're rushing through it. I would recommend 2-3 months if you're able to dedicate time to the content, or a little longer if you're planning to just pick away at it or are completely new to web apps.

The course covers the following content:

The course material is completely text based, combined with many practical tasks. I'm a big fan of how they presented the material, but I know text-based content isn't for everyone - so keep that in mind.

The Exam:​

Once you complete the course content and obtain all the flags in the exercise machines, you'll be able to activate an exam voucher.

Once you activate your voucher, a letter of engagement will be provided which will outline the requirements to pass. You will have 7 days to complete the exam.

To pass the exam you must:

1. Obtain enough points (by submitting found flags on the exam lab’s page - the number of points required to pass will be shared only upon starting the exam).
2. Submit a commercial-grade report which includes the identified vulnerabilities and remediation advice (a template is provided once the exam is started). This is evaluated against quality requirements.

You should receive the results within 20 business days. If you fail, that's fine, because the exam voucher includes a free retake.

5 Exam Tips:​

1. The exam is different to the course labs. The exam simulates multiple real-world applications and to obtain a flag, you'll need to think outside the box and chain multiple vulnerabilities together. Going into the exam - I did not expect to be chaining vulnerabilities together, so I had to quickly adapt my mindset and think outside the box in order to obtain them. Once I understood this, I started to obtain them. The exam is therefore not easy, but it is fair.
2. Have an in-depth understanding on how the covered vulnerabilities work, as well as how to manually exploit them. Pointing a readily available tool at the web app and expecting RCE in return likely won't work. You'll need to manually poke the application and understand it's responses in order to discover vulnerabilities. And again, may need to chain multiple vulnerabilities together.
3. Everything you need to pass is covered in the provided material. However, don't expect to just run an exploit tool or copy and paste a payload. Again, you'll need to think outside the box and chain multiple techniques together in order to pass.
4. Enumerate, enumerate, enumerate. And when you gain a foot hold, enumerate even more!
5. Approach the exam methodically (ensure you make a methodology while studying the content!) and take your time. You have 7 days after all (14 if you include the free retake). If you feel stuck, take a break to clear your head and give it another go. It was more then once that I got stuck on a section for hours, only to take a break and solve it within a few minutes of sitting back down.

Would I Recommend it?​

The course - 100%! And especially if you're a student. The $8 USD/month price is incredible value for such a high quality course. If you're not a student, the pricing gets a bit more complicated as they use "cubes" to unlock modules. The entire course costs 1410 cubes. Which can be purchased for about $110 USD (as you gain some cubes along the way while obtaining the flags). There are also monthly/yearly subscriptions available which may benefit you more. Either way, I'd still highly recommend the course for those that want to understand web-app penetration testing. Also keep in mind that by completing the CBBH course, you'll already be almost 1/3 through the HTB CPTS course!

The exam - well, it depends. The certification isn't as recognised as other web-app penetration testing certifications so this makes it more difficult to recommend. The decision of calling it "Bug Bounty" and not "Junior Web-App Penetration Tester" also raises the question of "why have a bug bounty certification?". At the price of $210 USD (about $375 AUD with taxes), I find it hard to recommend for everyone at this stage. But if you're like me and wanted to get it to practice a little, to test your skill level before moving onto other, more advanced certifications - then go for it! I did greatly enjoy the exam after all and am looking forward to trying other HTB certs in the future :)