WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Encrypted URL

From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Fri, 30 Jan 2004 09:06:16 -0500
If you are encrypting on the client-end (JavaScript/etc), then it doesn't
serve any purpose, since the client has the ability to pass encrypted
bad data back to the server. If you are encrypting on the server-end, then
the cyphertext is merely a proxy for the real text, and would be subject
to replay attacks.

You could make the crypto a little more intelligent by augmenting it
with the current time, etc and get some useful functionality, but nothing
that's not already available with session-backed data. 

...parameter tampering attacks...
So you click on a link that goes to www.server.com/?action=login
but you change 'login' to 'admin'. If you wanted to protect it, I would use
www.server.com/?action=login&hash=ABKJ3J3U4289V4NVW3V4N8V,
where the hash variable is something like
   MD5("action=login" + salt + T) 
where salt is some static random text you set up on your server, and T is
some time dependent function that has the property that it remains constant
for some time. Essentially, you need to protect against replay attacks. You
could let T be an incrementing variable stored in the session on the server,
so that you can only use each URL once. The reason for the hash is that if
anyone changes action=login to action=admin, the hash won't validate (you
need to check it on each request).

Probably the better solution is to validate that the user role is consistent
with the parameters passed in. If you rely on client-end crypto or even hashing,
better make sure you get it right, or you'll wind up getting exploited and 
probably not even know it.

Michael Scovetta

-----Original Message-----
From: lupin [mailto:lupin9809 () hotmail com]
Sent: Friday, January 30, 2004 5:29 AM
To: webappsec () securityfocus com
Subject: Encrypted URL




I've seen a couple highly secure Web Application that use encrypted url.



Actually they encrypt the parameter query string.



Example URL:



http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c



I think this is a great way to protect against parameter tampering attacks.



Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot?



What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)?



Thanks a lot for your response in advance.
Previous By Date Next
Previous By Thread Next

Current thread: