WebApp Sec mailing list archives
RE: Encrypted URL
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Fri, 30 Jan 2004 09:06:16 -0500
If you are encrypting on the client-end (JavaScript/etc), then it doesn't serve any purpose, since the client has the ability to pass encrypted bad data back to the server. If you are encrypting on the server-end, then the cyphertext is merely a proxy for the real text, and would be subject to replay attacks. You could make the crypto a little more intelligent by augmenting it with the current time, etc and get some useful functionality, but nothing that's not already available with session-backed data. ...parameter tampering attacks... So you click on a link that goes to www.server.com/?action=login but you change 'login' to 'admin'. If you wanted to protect it, I would use www.server.com/?action=login&hash=ABKJ3J3U4289V4NVW3V4N8V, where the hash variable is something like MD5("action=login" + salt + T) where salt is some static random text you set up on your server, and T is some time dependent function that has the property that it remains constant for some time. Essentially, you need to protect against replay attacks. You could let T be an incrementing variable stored in the session on the server, so that you can only use each URL once. The reason for the hash is that if anyone changes action=login to action=admin, the hash won't validate (you need to check it on each request). Probably the better solution is to validate that the user role is consistent with the parameters passed in. If you rely on client-end crypto or even hashing, better make sure you get it right, or you'll wind up getting exploited and probably not even know it. Michael Scovetta -----Original Message----- From: lupin [mailto:lupin9809 () hotmail com] Sent: Friday, January 30, 2004 5:29 AM To: webappsec () securityfocus com Subject: Encrypted URL I've seen a couple highly secure Web Application that use encrypted url. Actually they encrypt the parameter query string. Example URL: http://example.com/796e62113e2936383e2b1796d626e676a6f6b6a6b6c67006a/appl?Toto=796f62796c62796e6c62796b621730323a08362b37083a333c30323a0f38796662113e29791c54683b3a312b796e6d620f2d3a1e3c3c302a312b133e2c2b1d3030343631382c1e3c2b796862123e3631113e29e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c791930333b3a2d173e2a4e3033302d62123e3631113e2936383e2b363031001e3c3c302a312b123a312a001e3c3c302a312b133e2c2b1d3030343631382c I think this is a great way to protect against parameter tampering attacks. Does anybody know more about this technique? Papers etc..? How to implement it? Google didn't help me a lot? What is you point of view? Do you think it will help to prevent all the parameter attack (XSS, SQL inj. etc...)? Thanks a lot for your response in advance.
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Brecrost Jones (Feb 02)