Web pages sometimes include fields that are visible to a user, but not editable by the user. Instead, a server may make updates to the non-editable field, and display the update on the web page. In some cases, an update may be triggered by a change to another field on the same web page.
For example, a web page displaying mortgage information may display an interest rate and an amount of interest paid. However, the web page may allow the user to only update the interest rate, but not the amount of interest paid. Instead, the user may change the interest rate, and the server may, in response, update the amount of interest paid on the web page. In such cases, a malicious user may exploit the fact that the amount of interest paid may be changed by the server. By exploiting this fact, the malicious user may insert values that may otherwise be prohibited.