WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Encrypted URL

From: Kenneth Peiruza <kenneth () security gft com>
Date: Fri, 30 Jan 2004 15:11:47 +0000
Hi all,

If I'm not wrong, URLs should be under 256 chars, so this link is not
100% "compatible" with the RFCs.

I also see some trouble while sending data from a form to the CGI 'cause
you're not going to code this client-side, but if that isn't your
trouble, it could be nice.


How to implement?

Send to Browser:

        Know What URLs to print ( params and values ) ->
        write them together as in the URL! -> Code Them ->
        ensure it's URL-friendly ( here is hex ) -> 
        print it ( HTML )


Get from Browser:
        Cut "arguments" to CGI ->
        decode URL string ->
        parse to get params ->
        Your code goes here!

Regards!!!!!



On Fri, 2004-01-30 at 10:28, lupin wrote:

I've seen a couple highly secure Web Application that use encrypted url.

Actually they encrypt the parameter query string.

Example URL:

http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c

I think this is a great way to protect against parameter tampering attacks.

Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot?

What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)?

Thanks a lot for your response in advance.
Previous By Date Next
Previous By Thread Next

Current thread: