Can hidden parameters with request scope create security problems in the application?

In my application I am using hidden parameters to store success and error URL. Depending on certain actions the page will be redirected to either success or error URL. The hidden parameters are request scoped. Below snippet of source code from browser.

<input value="success.jsp" type="hidden" name="successURL">
<i开发者_如何学Cnput value="error.jsp" type="hidden" name="errorURL">

In case someone tries to change the hidden parameter and inject some other URL, it will affect only that users session. When security tools are run they are reporting the issue with hidden parameters. But I am not sure if the security tools have intelligence to check the scope of parameter and decide which parameters are really harmful. The tool will usually just inject some other URL in hidden parameters are try to see if the site is being moved. But as far as the application is concerned I feel hidden parameters with request scope will not create any harm.

I am not sure if my understanding is right.

This really depends on your appliction. For instance, given a malicious user alters the errorURL to a server he owns and an error-prune input is inserted, your application will probably throw an exception and maybe the details of this exception are sent to the errorURL which will give the malicious user more information about your server and configuration making your application (and the hosting server) more vulnerable to attacks.

hidden inputs are to be very well thought through.