Re: Encrypted URL

["Adam Tuliper" <amt () gecko-software com>]

If you want to include a directory in the url, write an
isapi filter to look at the path which you will then
translate to another url.
see
http://www.codeproject.com/isapi/isapiredirector.asp?target=isapi

for url encryption, thats pretty easy. Simply form your
url, encrypt it, URL encode it, and use it. Lots of times
links are formed with this information so your page can
track without sessions user information, but in a secure
way. It can definitely help protect against attacks via the
querystring, but assuming its a complex scheme.

Adam


On 30 Jan 2004 10:28:44 -0000
 lupin <lupin9809 () hotmail com> wrote:
> I've seen a couple highly secure Web Application that use
> encrypted url.
>
> Actually they encrypt the parameter query string.
>
> Example URL:
http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c
> I think this is a great way to protect against parameter
> tampering attacks.
>
> Does anybody know more about this technique? Papers
> etc..? How to implement it? Google didn't help me a lot?
>
> What is you point of view? Do you think it will help to
> prevent all the parameter attack (XSS, SQL inj. etc...)?
>
> Thanks a lot for your response in advance.

---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/