WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Encrypted URL

From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Fri, 30 Jan 2004 15:09:02 +0100
Quoting lupin <lupin9809 () hotmail com>:


I've seen a couple highly secure Web Application that use encrypted url.


http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c

What is you point of view? Do you think it will help to prevent all the
parameter attack (XSS, SQL inj. etc...)?


It might prevent a few things, but it certainly won't prevent all parameter attacks.

In many systems, users submit data to the web application. To do this, we must
either (a) send it as unencrypted data, (b) use a wellknown encryption system
such as HTTPS, or (c) invent our own encryption system, which must then be
transmitted to the user (as JavaScript or similar code) in order to use it. In
all three cases, the user is fully aware of the method's all details, and can
write clients that will send in arbitrary malicious data to the web application,
using the method.

-- 
Ulf Härnhammar
 student, Uppsala universitet
 redaktör, idiosynkratisk ( http://labben.abm.uu.se/~ulha9485/idiosynkratisk/ )
Previous By Date Next
Previous By Thread Next

Current thread: