WebApp Sec mailing list archives
Re: Encrypted URL
From: Kenneth Peiruza <kenneth () security gft com>
Date: Fri, 30 Jan 2004 15:11:47 +0000
Hi all, If I'm not wrong, URLs should be under 256 chars, so this link is not 100% "compatible" with the RFCs. I also see some trouble while sending data from a form to the CGI 'cause you're not going to code this client-side, but if that isn't your trouble, it could be nice. How to implement? Send to Browser: Know What URLs to print ( params and values ) -> write them together as in the URL! -> Code Them -> ensure it's URL-friendly ( here is hex ) -> print it ( HTML ) Get from Browser: Cut "arguments" to CGI -> decode URL string -> parse to get params -> Your code goes here! Regards!!!!! On Fri, 2004-01-30 at 10:28, lupin wrote:
I've seen a couple highly secure Web Application that use encrypted url. Actually they encrypt the parameter query string. Example URL: http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c I think this is a great way to protect against parameter tampering attacks. Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot? What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)? Thanks a lot for your response in advance.
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Tim Greer (Jan 30)
- Re: Encrypted URL dreamwvr () dreamwvr com (Jan 30)
- RE: Encrypted URL Bryan Murphy (Jan 30)
- Re: Encrypted URL Lars Johannesen (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
(Thread continues...)