On various sites, you often see in the page source some hidden values on forms (usually holding some kind of constant, key, ID, etc). Something like:
<input type="hidden" name="_submit_check" value="1">
I’d assume this website is double checking the form was posted by checking _submit_checks value for 1. Would it be possible to edit the source and change that to 0, then post the data and thus make the form fail to post server side?
This example isn’t very dangerous to the server as it will simply ignore the request but are there any possible security risks with using hidden fields (other than the obvious: they can still read the value in the source, I’m more worried about if they can edit it).
Yes a user could copy your html form, change the values and then post to your server. This is why it is important to always validate and sanitize user input including hidden input values on the server side and not just the client side(ie javascript).