WebApp Sec mailing list archives
Re: Encrypted URL
From: Fogbound Child <samuelg () fogbound net>
Date: Fri, 30 Jan 2004 10:25:07 -0800
lupin wrote: > > I've seen a couple highly secure Web Application that use encrypted url. > > > > Actually they encrypt the parameter query string. >This can be a useful technique, if you know the size of the data you will be passing is small. It's best for passing, say, a session ID. The thing to look out for is that the length of an URL that is permitted varies by browser (e.g., 4096 characters for most versions of IE).
I've implemented an approach like this for web applications. My approach (which may or may not be very well thought out) involved the following:
Creating a "CryptUrl":- Create a string that has a timestamp along with a session ID and/or any other data you wish to pass (remembering to keep it small).
- Create an MD5 hash of that string. - Encrypt the string using Blowfish, and encode it for the URL.- Create an URL consisting of the encrypted string and the hash, e.g., http://myserver/myServlet?c=EncryptedString&h=hashString
Processing a "CryptUrl": - grab the encrypted string from the URL. - decrypt the string.- Check the timestamp. If it's older than a certain window, reject the transaction.
- Create an MD5 hash of the decrypted string.- Compare the new hash with the one passed on the URL. If they do not match, reject the transaction.
- At this point, you have your parameters.There are a few minor gotchas when implementing something like this. All these binary strings need to be encoded as ASCII strings of hex digits. There are probably some other things I've overlooked as well.
I certainly wouldn't use this technique for truly secure transactions without a more thorough analysis. It is probably good enough to prevent simple parameter modification attacks, and, depending on your time window, URL replay attacks.
Take it easy,
___Samuel___
--
---------------------------------------------------------------
samuel, 5th rate miracle worker. <samuelg () fogbound net>
Hak'n a Tchainik: Unusual Teapots http://teapots.fogbound.net
The Grand Unified Gallery http://webbwerks.com/gallery
"If no / creature is immortal, some / are more stubborn
than others." -- John Ciardi
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
(Thread continues...)