My application is being penetration tested.
One of the XSS items being flagged is that Im using a hidden form field to store a record id in a browser/search screen then using id this to open the full record. (via a post)
I'm struggling to see how this is an XSS attack. Am I missing something?
One possibility can be if you are not filtering the input of the hidden field. Hidden fields self are no xss attack vector.
What happens if the form is submitted with that value changed?
Exposing an actual database id risks allowing access to rows in your DB that belong to another user.
If you are exposing a database id and using it in a SQL query, you should ensure that the SQL query uses a bind variable for that id (or properly escapes it, but bind variables are better) and do business rule checks to make sure the row corresponding to the id actually should be visible to the current application user.
This isn't really an XSS issue, but it's definitely a security issue.
One possibility can be if you are not filtering the input of the hidden field. Hidden fields self are no xss attack vector.
Are you sure 'No XSS Attack Vector"? Don't convey wrong sense of security unless you don't know and haven't tried to test it. Always suggest users to validate and filter inputs.