WebApp Sec mailing list archives

Re: Encrypted URL

From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Fri, 30 Jan 2004 08:59:58 -0700

On Fri, Jan 30, 2004 at 10:28:44AM -0000, lupin wrote:



I've seen a couple highly secure Web Application that use encrypted url.

Actually they encrypt the parameter query string.

Example URL:

http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c

I think this is a great way to protect against parameter tampering attacks.

Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot?

What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)?

Hmmm.. could be wrong here but I see no greater benefit to prevent parm attacks
than a one way hash. Since as long as the server knows what the one way hash 
represents it would know the parameters etc. The added bonus is that
4a890e3a7604939f44d1e65a4a1f8e30 for example is much easier to read. 
Can you tell me other than it is a MD5 hash anything about what this 
really means? Or how about SHA1 691e11e6a445830f6c0744642cf3210263f276ee
IMO as long as the server knows if its just_parms you want to protect 
well then this is a good way.  Additionally it prevents injections in 
the location bar that perhaps are missed by a lazy user. 
(Since most will simply just click the URL to the URI without a further
thought.) Well my 2cents.

Best Regards,
dreamwvr () dreamwvr com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                               48 69 65 72 6F 70 68 61 6E 74 32
# Note: To begin Journey type man afterboot,man help,man hier[.]      
# 66 6F 72 20 48 69 72 65                              0000 0001
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

Current thread:

Encrypted URL lupin (Jan 30)
- Re: Encrypted URL Jeff Williams @ Aspect (Jan 30)
- Re: Encrypted URL Thomas Chiverton (Jan 30)
- Re: Encrypted URL Adam Tuliper (Jan 30)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
  - Re: Encrypted URL Stephen de Vries (Jan 30)
    - Re: Encrypted URL B. Johannessen (Jan 30)
    - Re: Encrypted URL Michael Ströder (Feb 02)
  - Re: Encrypted URL Kenneth Peiruza (Feb 02)
    - Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)

(Thread continues...)